2011.06.23 Banking - Palo Alto Networks by networkmagazine taiwan

以全新思維打造資安防禦基礎 Bruce Lan Technical Manager , Taiwan Palo alto Networks

Agenda 重新檢視資料處理（保護）的防護面向應用程式與用戶端行為改變帶來的影響與挑戰傳統防護機制的困境研究組織與相關規範的建議新一代的防護對策與管理思維 - 重新了解您的網路資料流 - 以新的思維製訂資安政策 - 掌握各種應用程式連線中可能的問題與威脅 - 彈指間完成各類事件的搜尋與分析 - 提供服務主機更縝密的防護機制 - 更具成本效益的佈署彈性

Paloalto Networks

Page 2 |

重新檢視資料處理（保護）的防護面向

實體安全

系統安全

程式、資料庫安全

Page 3 |

重新檢視資料處理（保護）的防護面向常見的網路資安防禦機制 Internet

Remote site Server farm

Internal

Page 4 |

重新檢視資料處理（保護）的防護面向常見的網路資安防禦機制

Internet Server farm

Page 5 |

應用程式與用戶端行為改變帶來的影響

Ultrasurf 無界 Freegate

Applications!!! 迅雷

Page 6 |

資料處理（保護）面臨的挑戰

重點:對資料的蒐集、處理及利用進行規範。

我們可以制訂政策去控制資料的蒐集、處理及利用。但對於未知、異常的網路行為我們又該如何控制?

Page 7 |

資料處理（保護）面臨的挑戰未知、異常網路行為的控管… • 員工電腦成為疆屍網路的一部分，造成資料被盜取。 • 員工使用P2P ，造成資料被盜取。 • 員工利用P2P下載及利用企業網路轉載其他人的身分證號碼或

信用卡號碼等個人資料 • 員工誤用TEAMVIEWER，把客戶資料經過桌面分享到外面。 • 員工利用FACEBOOK上的Email/聊天工具把資料發到外面。 • ……

資料外洩! Page 8 |

例一 • 員工電腦成為疆屍網路的一部分，造成資料被盜取。

企業是否有盡力避免惡意程式接觸到Client PC？企業有否配置相關防護設備或系統？

Page 9 |

例二 • 員工在用P2P ，造成資料被盜取。

員工是否有需要在工作時同時獲得做用Ｐ２Ｐ的權限？企業是否有盡力控制Ｐ２Ｐ？

Page 10 |

例三 • 員工誤用TEAMVIEWER，把機敏資料經過桌面分享

到外面。

非IT部門的員工是否有需要使用TEAMVIEWER？企業是否有盡力控制？

Page 11 |

例四 • 員工利用社群工具、webmail、線上共享空間服務與

即時訊息工具等管道有意或無意將機敏資料發散到外部。

員工是否有需要使用Facebook？就算有，是不是應該允許員工用Facebook Mail , Posting？企業是否有盡力控制？

Page 12 |

傳統防護機制的困境 – 傳統防火牆 Traditional Applications • DNS • Gopher • SMTP • HTTP

Dynamic Applications • FTP • RPC • Java/RMI • Multimedia

Layer 4 Firewall （Stateful Inspection）

Internet

Page 13 |

Evasive Applications • Encrypted • Web 2.0 • P2P • Instant Messenger • Skype • Music • Games • Desktop Applications • Spyware • Crime ware

傳統防護機制的困境 – 傳統防火牆 What traffic in network?

Enterprise 2.0

Internet 無界瀏覽 Easy to passthrough Firewall

Comment

Source IP

Destination IP

Service/port

Action

HTTP,HTTPS Only

192.168.10.0/24

Any

80,443

Allow

…..

X.X.X.X

5001

Allow

Others

Any

Deny

Port 20

Port 22

Port 23

Port 80

HTTP

Telnet

SSH

FTP

傳統防護機制的困境 – 傳統防火牆

Port 531

• Applications Became

Evasive -

Needed to traverse the firewall

Would look for commonly open ports 

Or look for any available port 

Evasive applications fundamentally break the port-based model

Page 15 |

Port 80, 443, 53

Open high ports

Non-Standard…Is the New Standard M ostFrequently Detected "Dynam ic" Applications 100% 80%

83%

78%

77%

73%

60%

55%

54%

51%

40%

42%

20%

Source: Palo Alto Networks Application Usage and Risk Report, Spring 2010

0% Sharepoint

iTunes

MS RPC

Skype

BitTorrent MSN Voice

Ooyla

Mediafire

Collaboration (46) 8

Media (24)

General-Internet (17)

Business-Systems (15) 0

Teamviewer

• 67% of the apps use

Applications That are Capable of Tunneling

Networking (73)

eMule

port 80, port 443, or hop ports

• 190 of them are

client/server

• 177 can tunnel other

41 25

Client-server (78)

Browser-based (66)

Network-protocol (19)

Peer-to-peer (12)

applications, a feature no longer reserved for SSL or SSH

傳統防護機制的困境 –入侵防禦技術（IDP/IPS）

Tunneled Apps (e.g. Facebook)

Applications

Encryption (e.g. SSL)

?!?

Proxies (e.g UltraSurf) Compression (e.g. GZIP)  Outbound Phone Home Traffic

Page 17 |

IMs

上圖加”動畫”

Bot nets

Malware URLs

Exploits

Worms

XSS

P2P

Broadening Threats

傳統防護機制的困境 –入侵防禦技術（IDP/IPS）

Ultrasurf 無界

Page 18 |

研究組織與相關規範的建議 – ISO 27001, PCI Identifies applications regardless of port numbers, tunneling and encryption protocols (including P2P and IM). Firewall policy rules explicitly define what applications are permitted.

More then 60% of applications are hidden from network firewalls. 做好用戶端與其行為之管制是落實規範的重要基礎

Control of applications is an essential requirement of IT security standards (ISO 27001, PCI, etc.) - The Principle of Least Privilege. Common firewall, IPS and UTM are not able to fulfill this requirement. Page 19 |

ISO 27001, A.11.4.1. Policy on use of network services. The users should only be provided with access to the services that they have been specifically authorized to use.

相關組織與安全規範的建議 - CISSP • Least Privilege (Need to Know) -

用戶在工作時，應只獲取最低的、工作所需的權限。他們應只知道工作所需的資料。

• Separation of Duties -

企業應盡可能把工作分工，以避免出現一位能把所有工作從頭到尾完成的過高權限者。

• Best Effort -

Page 20 |

企業必須表現出他已盡了最大的努力去保護數據、網路。

相關組織與安全規範的建議 - Gartner To truly protect the network, enterprises need capabilities beyond what traditional IPS solutions provide

1. Proactively reduce the attack surface 2. Control the application-enabled vectors 3. Protect against all threats in theory and in practice 4. Shift to user-aware enforcement and reporting Page 21 |

Gartner’s Recommendation: “Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two” Read the full Gartner report here

新一代防護對策與管理思維

Palo Alto Networks Next-Generation Firewall

Next-Generation Threat Prevention • Actively reduce the attack surface • Control application enabled threats • User-aware enforcement and reporting

Traditional IPS Requirements • • • •

Proven IPS Accuracy Anti-Virus / Spyware Performance Research

新一代防護對策與管理思維

給予用戶端適當的行為規範

» Traffic limited to

了解您所管理的網路資料流 Page 23 |

approved business use cases based on App and User » Attack surface reduced by orders of magnitude

進一步針對所允許的資料流進行相關資安檢查

» Complete threat library with no blind spots Bi-directional inspection Scans inside of SSL Scans inside compressed files Scans inside proxies and tunnels

新一代防護對策與管理思維

新一代防護對策與管理思維 Identify traffic (App-ID)

Is User Allowed? (User ID)

Google Talk

GMail

HTTP

SSL

Port Number - TCP

Inbound

What Threats? (Content ID) Full cycle threat prevention Intrusion prevention Malware blocking Anti-virus control URL site blocking Encrypted & compressed files

Data leakage control Credit card numbers Custom data strings Document file types

Outbound

重新了解您的網路資料流

直接以應用程式名稱等資訊來呈現用戶端的各種網路行為…

Page 26 |

重新了解您的網路資料流

有過去有多少PORT 80的流量是被忽略的？

Page 27 |

重新了解您的網路資料流

以最直覺的方式掌握管理所 Who use P2P？需的關鍵資訊…

Page 28 |

重新了解您的網路資料流

詳細掌握用戶端可能的異常行為

Page 29 |

重新了解您的網路資料流

所有連線都到哪去了？

都是哪些應用服務？

Page 30 |

以新的思維製訂資安政策 For Accounting … allow web-browsing For Marketing … 精確地對用戶端、群組及其 Allow web-browsing 網路行為進行規範… & facebook-chat

Page 31 |

掌握各種應用程式連線可能的問題與威脅

Page 32 |

彈指間完成各類事件的搜尋與分析 Who Access it ？

What Application？

在過去您需要花多少時間去進行各類事件的統計、橫向整合與交叉分析以進行釐清各種網路問題的原因？ Where ? What threat is detected ？

Which secure rule ？

Page 33 |

提供服務主機更縝密的防護機制 • Effective Security -

By application

By user

Content scanning

• Flexible Integration - L1/L2/L3/mixed mode - VLAN trunking, link aggregation

• Example: Safe Enablement -

Developers stand up SQL instances on any port…

Only Oracle, SQL Server, MySQL, and DB/2 traffic allowed access to the databases segment

Page 34 |

• Example: Network

Segmentation (PCI)

提供服務主機更縝密的防護機制 Exchange OWA Servers

DomainUsers

Infrastructure Servers

Users

WAN and Internet

Development Servers

針對使用者依據其權限給予特定主機、應用程式連線之控管以達到”正向防禦”之目的

Page 35 |

傳統資安設備的管理與佈署限制 Networks and threats are changing

在過去，只能付出高額的代價去取得不盡理想的管理機制 •

Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes – L3, transparent (L2) and sniffer.

•

Cost effectiveness requires the protections virtualization – VLAN interfaces, virtual routes, and virtual systems.

更具成本效益的佈署彈性 Palo Alto Networks solution L2 – VLAN 20

L2 – VLAN 10

Vwire

L3 – DMZ L3 – Internet Tap – Core Switch

全面擴大防禦縱深並獲得更高的管理效益！ •

Many work modes - Tap Mode, Virtual Wire, Layer 2, Layer 3 with dynamic routing protocols.

•

Protections’ work mode adjusted to the requirements – network interfaces in one device can work in different modes.

•

Security virtualization – VLAN interfaces in L2 and L3, virtual routers and virtual systems. Page 37 |

更具成本效益的佈署彈性 Visibility

• Application, user and content visibility without inline deployment

Transparent In-Line

• IPS with app visibility & control • Consolidation of IPS & URL filtering

多種工作模式可同時並存 Page 38 |

Firewall Replacement

• Firewall replacement with app visibility & control • Firewall + IPS • Firewall + IPS + URL filtering

Palo alto Networks

Nir Zuk

•1994-1999：任職於Check Point CTO時，發表 Stateful Inspection 技術（為業界所採用）後推出全球第一台防火牆 •2000-2002： CTO at OneSecure •2002-2005：CTO at Netscreen / Juniper •2005：Founder & CTO at Paloalto Networks

Founded in 2005 by Nir Zuk, inventor of stateful inspection technology 2005成立，2007年起供應全球市場Next-Generation Firewalls (NGFW) 世界級的資安與網路專家所組成之團隊，曾經服務於 Check Point, NetScreen, McAfee, Juniper Networks, Blue Coat, And Cisco. 全球60+國家已累積 3500+ 客戶 (Until 2010,Q4 …） Page 39 |

Page 40 |

ÂŠ 2010 Palo Alto Networks. Proprietary and Confidential.