Page 1

以全新思維打造資安防禦基礎 Bruce Lan Technical Manager , Taiwan Palo alto Networks


Agenda 重新檢視資料處理(保護)的防護面向 應用程式與用戶端行為改變帶來的影響與挑戰 傳統防護機制的困境 研究組織與相關規範的建議 新一代的防護對策與管理思維 - 重新了解您的網路資料流 - 以新的思維製訂資安政策 - 掌握各種應用程式連線中可能的問題與威脅 - 彈指間完成各類事件的搜尋與分析 - 提供服務主機更縝密的防護機制 - 更具成本效益的佈署彈性

Paloalto Networks

Page 2 |


重新檢視資料處理(保護)的防護面向

實體安全

系統安全

程式、 資料庫安全

Page 3 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


重新檢視資料處理(保護)的防護面向 常見的網路資安防禦機制 Internet

Remote site Server farm

Internal

Page 4 |

© 2008 Palo Alto Networks. Proprietary and Confidential.


重新檢視資料處理(保護)的防護面向 常見的網路資安防禦機制

Internet Server farm

Page 5 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


應用程式與用戶端行為改變帶來的影響

Ultrasurf 無界 Freegate

Applications!!! 迅雷

Page 6 |

© 2009 Palo Alto Networks. Proprietary and Confidential.


資料處理(保護)面臨的挑戰

重點:對資料的蒐集、處理及利用進行規範。

我們可以制訂政策去控制資料的蒐集、處理及利用。 但對於未知、異常的網路行為我們又該如何控制?

Page 7 |

© 2009 Palo Alto Networks. Proprietary and Confidential.


資料處理(保護)面臨的挑戰 未知、異常網路行為的控管… • 員工電腦成為疆屍網路的一部分,造成資料被盜取。 • 員工使用P2P ,造成資料被盜取。 • 員工利用P2P下載及利用企業網路轉載其他人的身分證號碼或

信用卡號碼等個人資料 • 員工誤用TEAMVIEWER,把客戶資料經過桌面分享到外面。 • 員工利用FACEBOOK上的Email/聊天工具把資料發到外面。 • ……

資料外洩! Page 8 |

© 2009 Palo Alto Networks. Proprietary and Confidential.


例一 • 員工電腦成為疆屍網路的一部分,造成資料被盜取。

企業是否有盡力避免惡意程式接觸到Client PC? 企業有否配置相關防護設備或系統?

Page 9 |

© 2009 Palo Alto Networks. Proprietary and Confidential.


例二 • 員工在用P2P ,造成資料被盜取。

員工是否有需要在工作時同時獲得做用P2P的權限? 企業是否有盡力控制P2P?

Page 10 |

© 2009 Palo Alto Networks. Proprietary and Confidential.


例三 • 員工誤用TEAMVIEWER,把機敏資料經過桌面分享

到外面。

非IT部門的員工是否有需要使用TEAMVIEWER? 企業是否有盡力控制?

Page 11 |

© 2009 Palo Alto Networks. Proprietary and Confidential.


例四 • 員工利用社群工具、webmail、線上共享空間服務與

即時訊息工具等管道有意或無意將機敏資料發散到外 部。

員工是否有需要使用Facebook?就算有, 是不是應該允許員工用Facebook Mail , Posting? 企業是否有盡力控制?

Page 12 |

© 2009 Palo Alto Networks. Proprietary and Confidential.


傳統防護機制的困境 – 傳統防火牆 Traditional Applications • DNS • Gopher • SMTP • HTTP

Dynamic Applications • FTP • RPC • Java/RMI • Multimedia

Layer 4 Firewall (Stateful Inspection)

Internet

Page 13 |

© 2009 Palo Alto Networks. Proprietary and Confidential.

Evasive Applications • Encrypted • Web 2.0 • P2P • Instant Messenger • Skype • Music • Games • Desktop Applications • Spyware • Crime ware


傳統防護機制的困境 – 傳統防火牆 What traffic in network?

Enterprise 2.0

Internet 無界瀏覽 Easy to passthrough Firewall

Comment

Source IP

Destination IP

Service/port

Action

HTTP,HTTPS Only

192.168.10.0/24

Any

80,443

Allow

…..

X.X.X.X

X.X.X.X

5001

Allow

Others

Any

Any

Any

Deny

© 2008 Palo Alto Networks. Proprietary and Confidential.


Port 20

Port 22

Port 23

Port 80

IM

HTTP

Telnet

SSH

FTP

傳統防護機制的困境 – 傳統防火牆

Port 531

• Applications Became

Evasive -

Needed to traverse the firewall

-

Would look for commonly open ports 

-

Or look for any available port 

Evasive applications fundamentally break the port-based model

Page 15 |

© 2010 Palo Alto Networks. Proprietary and Confidential.

Port 80, 443, 53

Open high ports


Non-Standard…Is the New Standard M ostFrequently Detected "Dynam ic" Applications 100% 80%

83%

78%

77%

73%

60%

60%

60%

55%

54%

51%

40%

42%

20%

Source: Palo Alto Networks Application Usage and Risk Report, Spring 2010

0% Sharepoint

iTunes

MS RPC

Skype

BitTorrent MSN Voice

Ooyla

Mediafire

36

18

18

Collaboration (46) 8

Media (24)

12

6

General-Internet (17)

7

10

Business-Systems (15) 0

25

17

Teamviewer

• 67% of the apps use

Applications That are Capable of Tunneling

Networking (73)

eMule

port 80, port 443, or hop ports

2

12

• 190 of them are

13

client/server

4

• 177 can tunnel other

41 25

50

Client-server (78)

Browser-based (66)

Network-protocol (19)

Peer-to-peer (12)

75

applications, a feature no longer reserved for SSL or SSH


傳統防護機制的困境 –入侵防禦技術(IDP/IPS)

Tunneled Apps (e.g. Facebook)

Applications

Encryption (e.g. SSL)

?!?

Proxies (e.g UltraSurf) Compression (e.g. GZIP)  Outbound Phone Home Traffic

Page 17 |

© 2010 Palo Alto Networks. Proprietary and Confidential.

IMs

上圖加”動畫”

Bot nets

Malware URLs

Exploits

Worms

XSS

P2P

Broadening Threats


傳統防護機制的困境 –入侵防禦技術(IDP/IPS)

Ultrasurf 無界

Page 18 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


研究組織與相關規範的建議 – ISO 27001, PCI Identifies applications regardless of port numbers, tunneling and encryption protocols (including P2P and IM). Firewall policy rules explicitly define what applications are permitted.

More then 60% of applications are hidden from network firewalls. 做好用戶端與其行為之管 制是落實規範的重要基礎

Control of applications is an essential requirement of IT security standards (ISO 27001, PCI, etc.) - The Principle of Least Privilege. Common firewall, IPS and UTM are not able to fulfill this requirement. Page 19 |

© 2010 Palo Alto Networks. Proprietary and Confidential.

ISO 27001, A.11.4.1. Policy on use of network services. The users should only be provided with access to the services that they have been specifically authorized to use.


相關組織與安全規範的建議 - CISSP • Least Privilege (Need to Know) -

用戶在工作時,應只獲取最低的、工作所需的權限。他 們應只知道工作所需的資料。

• Separation of Duties -

企業應盡可能把工作分工,以避免出現一位能把所有工 作從頭到尾完成的過高權限者。

• Best Effort -

Page 20 |

企業必須表現出他已盡了最大的努力去保護數據、網路。

© 2009 Palo Alto Networks. Proprietary and Confidential.


相關組織與安全規範的建議 - Gartner To truly protect the network, enterprises need capabilities beyond what traditional IPS solutions provide

1. Proactively reduce the attack surface 2. Control the application-enabled vectors 3. Protect against all threats in theory and in practice 4. Shift to user-aware enforcement and reporting Page 21 |

© 2010 Palo Alto Networks. Proprietary and Confidential.

Gartner’s Recommendation: “Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two” Read the full Gartner report here


新一代防護對策與管理思維

Palo Alto Networks Next-Generation Firewall

Next-Generation Threat Prevention • Actively reduce the attack surface • Control application enabled threats • User-aware enforcement and reporting

© 2010 Palo Alto Networks. Proprietary and Confidential.

Traditional IPS Requirements • • • •

Proven IPS Accuracy Anti-Virus / Spyware Performance Research


新一代防護對策與管理思維

給予用戶端適當 的行為規範

» Traffic limited to

了解您所管理的 網路資料流 Page 23 |

approved business use cases based on App and User » Attack surface reduced by orders of magnitude

© 2010 Palo Alto Networks. Proprietary and Confidential.

進一步針對所允許的資料 流進行相關資安檢查

» Complete threat library with no blind spots Bi-directional inspection Scans inside of SSL Scans inside compressed files Scans inside proxies and tunnels


新一代防護對策與管理思維


新一代防護對策與管理思維 Identify traffic (App-ID)

Is User Allowed? (User ID)

Google Talk

GMail

HTTP

SSL

Port Number - TCP

Inbound

What Threats? (Content ID) Full cycle threat prevention Intrusion prevention Malware blocking Anti-virus control URL site blocking Encrypted & compressed files

Data leakage control Credit card numbers Custom data strings Document file types

Outbound


重新了解您的網路資料流

直接以應用程式名稱等資訊來 呈現用戶端的各種網路行為…

Page 26 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


重新了解您的網路資料流

有過去有多少PORT 80的 流量是被忽略的?

Page 27 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


重新了解您的網路資料流

以最直覺的方式掌握管理所 Who use P2P? 需的關鍵資訊…

Page 28 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


重新了解您的網路資料流

詳細掌握用戶端可能的異常行為

Page 29 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


重新了解您的網路資料流

所有連線都到哪去了?

都是哪些應用服務?

Page 30 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


以新的思維製訂資安政策 For Accounting … allow web-browsing For Marketing … 精確地對用戶端、群組及其 Allow web-browsing 網路行為進行規範… & facebook-chat

Page 31 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


掌握各種應用程式連線可能的問題與威脅

Page 32 |

© 2008 Palo Alto Networks. Proprietary and Confidential.


彈指間完成各類事件的搜尋與分析 Who Access it ?

What Application?

在過去您需要花多少時間去進行各類事件的統 計、橫向整合與交叉分析以進行釐清各種網路 問題的原因? Where ? What threat is detected ?

Which secure rule ?

Page 33 |

© 2008 Palo Alto Networks. Proprietary and Confidential.


提供服務主機更縝密的防護機制 • Effective Security -

By application

-

By user

-

Content scanning

• Flexible Integration - L1/L2/L3/mixed mode - VLAN trunking, link aggregation

• Example: Safe Enablement -

Developers stand up SQL instances on any port…

-

Only Oracle, SQL Server, MySQL, and DB/2 traffic allowed access to the databases segment

Page 34 |

© 2011 Palo Alto Networks. Proprietary and Confidential.

• Example: Network

Segmentation (PCI)


提供服務主機更縝密的防護機制 Exchange OWA Servers

DomainUsers

Infrastructure Servers

Users

WAN and Internet

Development Servers

針對使用者依據其權限給予特定主機、應用程 式連線之控管以達到”正向防禦”之目的

Page 35 |

© 2009 Palo Alto Networks. Proprietary and Confidential.


傳統資安設備的管理與佈署限制 Networks and threats are changing

在過去,只能付出高額的代價去取得不盡理想的管理機制 •

Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes – L3, transparent (L2) and sniffer.

Cost effectiveness requires the protections virtualization – VLAN interfaces, virtual routes, and virtual systems.


更具成本效益的佈署彈性 Palo Alto Networks solution L2 – VLAN 20

L2 – VLAN 10

Vwire

L3 – DMZ L3 – Internet Tap – Core Switch

全面擴大防禦縱深並獲得更高的管理效益! •

Many work modes - Tap Mode, Virtual Wire, Layer 2, Layer 3 with dynamic routing protocols.

Protections’ work mode adjusted to the requirements – network interfaces in one device can work in different modes.

Security virtualization – VLAN interfaces in L2 and L3, virtual routers and virtual systems. Page 37 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


更具成本效益的佈署彈性 Visibility

• Application, user and content visibility without inline deployment

Transparent In-Line

• IPS with app visibility & control • Consolidation of IPS & URL filtering

多種工作模式可同時並存 Page 38 |

© 2008 Palo Alto Networks. Proprietary and Confidential.

Firewall Replacement

• Firewall replacement with app visibility & control • Firewall + IPS • Firewall + IPS + URL filtering


Palo alto Networks

Nir Zuk

•1994-1999:任職於Check Point CTO時,發表 Stateful Inspection 技術(為業界所採用)後推出全 球第一台防火牆 •2000-2002: CTO at OneSecure •2002-2005:CTO at Netscreen / Juniper •2005:Founder & CTO at Paloalto Networks

Founded in 2005 by Nir Zuk, inventor of stateful inspection technology 2005成立,2007年起供應全球市場Next-Generation Firewalls (NGFW) 世界級的資安與網路專家所組成之團隊,曾經服務於 Check Point, NetScreen, McAfee, Juniper Networks, Blue Coat, And Cisco. 全球60+國家已累積 3500+ 客戶 (Until 2010,Q4 …) Page 39 |

© 2010 Palo Alto Networks. Proprietary and Confidential.


Page 40 |

Š 2010 Palo Alto Networks. Proprietary and Confidential.

2011.06.23 Banking - Palo Alto Networks  

【以全新思維打造資安防護基礎】 Palo Alto Networks 技術經理 藍博彥

Read more
Read more
Similar to
Popular now
Just for you