intrusion prevention anno 2012: widening the ips concept
TRANSCRIPT
Intrusion Prevention anno 2012:Widening the IPS concept
2
Traditional IDS/IPS doesn’t cut it anymore…
• Blended attacks• Application-focused attacks• “Oldies but Goodies” still exist
− Nothing goes away. Ever.
• “Survival instinct” of applications much higher than before− Built-in evasion techniques
• Must assume malicious activity occurs within trusted applications
• Let’s take a closer look at some examples…
Threat Landscape-Blended Threat & Botnet Examples
• The Corporate Botnet - PhishingEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the compromise of the integrity of the entire network.
.
CIO Fears and Concerns
• The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.
.
ZEUS/ZBOT
• Email contains link to false domain• Credentials entered in to fake site• BOT infection sent to user as a “ Facebook
Security Update” application• User installs BOT and is now infected, all data
is compromised• Connection is then redirected to real
Facebook site so user is not suspicious• Prevalent today and sold as a crime kit.
3
Threat Landscape-Blended Threat & Botnet Examples
• The Corporate Botnet – Legitimate Site CompromisedEmployee access a legitimate site, but it or one of its content providers has been compromised and is now hosting malicious code.
.
CIO Fears and Concerns
• The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.
.
FakeAV Botnet
• In 2009 the advertising network used by the New York Times was infected by a malicious flash advertisement
• Readers were accessing the NYT site but were provided with the infected advertisement
• This directed users to a site hosting the exploit code to install fake antivirus software.
.
4
Threat Landscape-Blended Threat & Botnet Examples
• Targeted Attack – Spear PhishingUsing social engineering to distribute emails with links to malware, the emails are relevant to the corporation being targeted. Infected documents (PDF, DOC, XLS) can use software exploits to infect systems
.
CIO Fears and Concerns
• The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.
.
Kneber (Zeus) Botnet
• In 2010 a spear phishing attack on US .mil and .gov employees by a Zeus variant infected 50,000+ end systems
• Data stolen included: Corporate Login credentials Email and webmail access Online Banking sites Social Network credentials SSL Certificates
5
Threat Landscape-Blended Threat & Botnet Examples
• RansomwareOnce installed is very difficult to reverse, files are encrypted, this isn’t just based on the fear that something might happen, once you are reading the ransom note your data has already been encrypted.
CIO Fears and Concerns
• The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.
.
gpCode Ransomware
• Once installed searches hard drive for document and media files
• Files are encrypted with a 1024bit key which only the attacker has the decryption key
• Ransom note is displayed to user, system continues to operator but data is inaccessible
• Will encrypt xls, doc, pdf, txt, rar, zip, avi, jpg, mov, etc…
6
Addressing the Threat Landscape:Fortinet’s Next Generation Enterprise Security!
Beyond Application Identification
• Today’s Network Security Requires Application Detection, Monitoring, and Control − Allowing access to Web 2.0 applications has made
enforcing data security policies far more complex▪ User-created content embeds threats in content, pages,
links, comments to blogs…
− Protection against effects of social media applications▪ Data loss▪ Threat propagation▪ Bandwidth consumption▪ Inappropriate use
− Endpoint to the Core− “Single pane of glass” management for visibility & control
8
Life of a Packet with IPS enhancements
− DoS Policy Inspection addition▪ Inspected first prior to firewall inspection
DoS Policy Inspection
FirewallInspection
IPS / App. Control
AV / WF (Proxy)
IN PASS PASS PASS
Block (attack)
Block (deny) Block (attack / disallowed application)
Block (Virus / Web Content Block
OUT
9Fortinet Confidential **Internal view only**
Life of a Packet with IPS enhancements
− IPS & Application Control processing▪ Then hand off to proxies engines
DoS Policy Inspection
FirewallInspection
IPS / App. Control
AV / WF (Proxy)
IN PASS PASS PASS
Block (attack)
Block (deny) Block (attack / disallowed application)
Block (Virus / Web Content Block
OUT
10Fortinet Confidential **Internal view only**
Three Components
• Complete Content Protection Requires− Identification
▪ Customizable list of approximately 2,000 apps, growing weekly
▪ Consolidated security: DLP, AV/AS, SSL Inspection, Endpoint protection
− Monitoring▪ See what’s in your network
− Control▪ Granular control of behavior
» Apps & features within apps
» Users
» Traffic
11
Identification
• Over 2,000 applications»More added every week»Category
• IM, P2P, Remote Access, Video, etc.
»Ranked on popularity & risk» Independent of port, protocol,
IP address»Decrypt encrypted traffic
• Including HTTPS, POP3S, SMTPS and IMAPS protocols
12
Identification - Application Botnet Category
Monitoring
• Understand what’s in your network »Summary & detailed reports
• Application usage• Behavior of user• Bandwidth consumption
»Visualization of trends, threats, and behaviors that put your network at risk
14
Control
• Granular control of behavior »Apps & features within apps
• Categories of apps• Individual apps• Actions within apps
»Users• Domain, groups, individual users
»Traffic• Prioritize• Limit access by groups or users
» Time of day» Day of week
15
Fortinet Confidential
Real Threat Protection in Action
“Innocent” Video Link:Redirects to malicious Website
Integrated Web FilteringBlocks access to malicious Website
Network AntivirusBlocks download of virus
Intrusion ProtectionBlocks the spread of the worm
Solution:
Error message:
“Drops” copy of itself on system and attempts to propagate
“Out of date” Flash player error:“Download” malware file
Problem:
17
Consolidated Security with Real Time Updates
• Intrusion Prevention: Vulnerabilities and ExploitsBrowser and website attack code crafted by hackers and criminal gangs.
• Application Control: Unwanted Services and P2P LimitingBotnet command channel, compromised Facebook applications, independent of port or protocol
• Web Filtering: Multiple categories and Malicious sitesBotnet command, phishing, search poisoning, inappropriate content
• Antispam: Unsolicited messagesPhishing, Malware, Social Engineering and Junk
• Antivirus: All malicious codeDocuments, macros, scripts, executablesDelivered via Web, Email, USB, Instant messaging, social networks, etc
• Vulnerability Management: Real time exploit updatesMultiple scanning points FortiGate, FortiAnalyzer, FortiWeb, FortiDB, and FortiScan
Thank You!