1 Unified Threat Management Peter Theobald CEO, IT Secure Presentation at Sys Admin Workshop, IIT Kanpur Oct 21, 2005
2 Unified Threat Management April 27, 2005 2 IIT Kanpur Sys Admin Workshop Quiz When is “Sys Admin Appreciation Day”?
3 Unified Threat Management April 27, 2005 3
4 Unified Threat Management April 27, 2005 4
5 Unified Threat Management April 27, 2005 5 Sys Admin’s have a tough enough job already.. What about Security threats? How serious are they? What is the most effective and cost efficient way to handle them?
6 Unified Threat Management April 27, 2005 6 Current Trends Speed & sophistication of cyber-attacks is dramatically increasing Blended threats, hybrid attacks and automated tools have become popular and getting them is easy Critical infrastructure is dependant on Internet, and threats are progressively more unpredictable Security problems cost time, money and pain
7 Unified Threat Management April 27, 2005 7 Intruders High Low 1980198519901995 2004 Intruder Knowledge Attack Sophistication Cross site scripting password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Staged Auto Coordinated Attack Sophistication vs. Intruder Technical Knowledge
8 Unified Threat Management April 27, 2005 8 Vulnerability in Software “99% of intrusions result from exploitation of known vulnerabilities” Source: 2001 CERT, Carnegie Mellon University Cause: Software vulnerabilities are caused by programming of source code without proper checks and buffer handling Threat: Facilitated by not applying patches to vulnerable machines, and having those machines exposed on the network to outside threats The recent Slammer Worm exploited a SQL vulnerability for which a patch had been available since July, 2002
9 Unified Threat Management April 27, 2005 9 E-mail Viruses E-mail has become the primary means for distributing threats Trojans are easy to deliver and install HTML viruses (no user intervention) with webmail E-mails with attachments containing: Macros, VB scripts, java scripts and html scripts Corp Network
10 Unified Threat Management April 27, 2005 10 File Based Threats Example: Internet download Viruses and malicious code infection: Peer to Peer Instant Messaging apps Shareware sites Compromised servers Legitimate corporations Web based email Threats pass through stateful packet inspection firewalls Once inside the network, others are easily affected Corp Network File Server Request Download
11 Unified Threat Management April 27, 2005 11 File Based Threats Example: Netbios file transfers Viruses can be uploaded to network drives Once on the network drive users can be affected Nimda was a virus that attacked file servers and opened up a hole to allow a hacker to obtain control of the server Corp Network File Server
12 Unified Threat Management April 27, 2005 12 Application Attacks Unpatched Servers: Scob Servers do not get up to date patches Attacker sends malicious code through a buffer overflow Executes program instructions to the victims computer for execution Can also be used as denial- of-service attack, causing the computer to crash Server is infected New users who access server get infected Malicious Hacker Buffer Overflow Access
13 Unified Threat Management April 27, 2005 13 Software Development Mistakes CERT Advisories Configuration Error Design Error Unknown 6% Input Validation Error Boundary Condition Error Failure to Handle Exceptional Conditions Access Validation Error 3% 2% Security Focus Buffer Overflows Format String Double Free Integer Overflow Others
14 Unified Threat Management April 27, 2005 14 A Complete Attack: MyTob
15 Unified Threat Management April 27, 2005 15 MyTob Worm Discovered on: February 26, 2005 W32.Mytob.@mm is a mass-mailing worm that propagates via network shares and through email Uses its own SMTP engine to send an email to local email addresses Exploits the Microsoft Windows LSASS Remote Buffer Overflow and RPC/DCom Opens a back door into the affected computer Self protects by redirecting AV updates to local computer
16 Unified Threat Management April 27, 2005 16 Step 1: Arrives as an email or buffer overflow Server ZoneUser Zone Copies itself as %System%\msnmsgs.exe Adds the value: “MSN” = “msnmsgs.exe” to registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\OLE HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa W32.Mytob@mm runs every time Windows starts
17 Unified Threat Management April 27, 2005 17
18 Unified Threat Management April 27, 2005 18 Step 2: Loads itself into memory Server ZoneUser Zone Since the exe is now in start up, “msnmsgs.exe” is loaded into memory “HELLBOT” by Diablo is clearly advertised to show who wrote the program
19 Unified Threat Management April 27, 2005 19 Step 3: Logs in to an IRC channel Server ZoneUser Zone IDP Connects to an IRC channel on the irc.blackcarder.net domain on TCP port 6667 Advertises host PC IP address listens for commands that allow the remote attacker to perform the following actions: Download files Execute files Delete files Update itself Get uptime information IRC Server
20 Unified Threat Management April 27, 2005 20 Step 4: Generate potential targets and attack Server ZoneUser Zone Generates random IP addresses Exploits the RPC/DCOM vulnerability Allows the program to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service Exploits the Windows LSASS vulnerability This is a buffer overflow that allows remote code execution and enables a malicious user to gain full control of the affected system Random IPs
21 Unified Threat Management April 27, 2005 21 Step 5: Use its own SMTP server to send itself Server ZoneUser Zone Searches for email addresses on local computer .wab .adb .tbb .dbx From: “Spoofed” Subject: hello hi error status Find Email Addresses .asp php .sht .htm Mail Transaction Failed Mail Delivery System SERVER REPORT (No Subject) (random alphabets)
22 Unified Threat Management April 27, 2005 22 Understanding Spyware
23 Unified Threat Management April 27, 2005 23 What is Spyware/Adware? Spyware is any software that utilizes a computer’s Internet access without the host’s knowledge or explicit permission According to certain experts, approximately 90% of computers have some form of Spyware Aids in gathering information: Browsing habits (sites visited, links clicked, etc.) Data entered into forms (including account names, passwords, text of Web forms and Web-based email, etc.) Key stokes and work habits
24 Unified Threat Management April 27, 2005 24 Spyware Infection Server ZoneUser Zone A - Downloading programs Kazaa / screensavers / windows utilities Download managers / file sharing sw / demo software B - Trojans that are delivered or downloaded in e-mail C - In free, banner ad-based software - Popups D - The most notorious enabler of Spyware is Microsoft’s ActiveX module Random IPs A B C/D
25 Unified Threat Management April 27, 2005 25 Stateful Packet Inspection (SPI) is limited protection Provides source / destination / state intelligence Provides network address translation Stateful firewalls cannot protect against threats that are application layer based, file or email based Today’s Aging Technology
26 Unified Threat Management April 27, 2005 26 Firewall Technology Server ZoneUser Zone Typical firewalls are effective for port blocking If a port is open it is assumed any data can pass Intrusion detection is a “reactive” approach that does not actively protect Security must be built upon deep packet inspection, AV/Spy/Intrusion prevention with dynamic updates
27 Unified Threat Management April 27, 2005 27 The New Standard - UTM Unified Threat Management Integration of Firewall Deep Packet Inspection Intrusion Prevention for blocking network threats Anti-Virus for blocking file based threats Anti-Spyware for blocking Spyware Faster updates to the dynamic changing threat environment and elimination of False Positives
28 Unified Threat Management April 27, 2005 28 Deep Packet Inspection- Unified Threat Mmt Zone based security Protect internally Gateway Anti-Virus Scan through unlimited files sizes Scan through unlimited connections Scan over more protocols than any similar solution Anti-Spyware for protection against malicious programs Blocks the installation of spyware Blocks Spyware that is emailed and sent internally Applications Layer Threat Protection: Full protection from Trojan, worm, blended and polymorphic threats SonicWALL IPS/GAV Dynamic Updates Server Zone User Zone Dept Zone DPI PRO Series as a Prevention Solution Full L2-7 signature- based inspection Application awareness DPI: Intrusion Prevention /Gateway AV/ Anti-Spy
29 Unified Threat Management April 27, 2005 29 Technology: Behind the Scenes
30 Unified Threat Management April 27, 2005 30 Hidden threats Firewall Traffic Path Network communication, like email, file transfers and web sessions are packetized Typical User Activity 4321 Typical Network Traffic: Email Our World View Firewall View Traffic = multiple packets of information DATA HEA DER One Packet = Header info and Data
31 Unified Threat Management April 27, 2005 31 Firewall Traffic Path INSPECT Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Source 212.56.32.49 Destination 65.26.42.17 Source Port 823747 Dest Port 80 Sequence 28474 Sequence 2821 Syn state SYN IP Option none Stateful Packet Inspection Stateful Packet Inspection Stateful is limited inspection that can only block on ports No Data Inspection!
32 Unified Threat Management April 27, 2005 32 Firewall Traffic Path INSPECT Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Signature Database ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT INSPECT Stateful Packet Inspection Deep Packet Inspection Deep Packet Inspection Deep Packet Inspection inspects all traffic moving through a device
33 Unified Threat Management April 27, 2005 33 Firewall Traffic Path Stateful Packet Inspection Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address DATA Signature Database ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT Comparing… Application Attack, Worm or Trojan Found ! Deep Packet Inspection Deep Packet Inspection / Prevention Deep Packet Inspection with Intrusion Prevention can find and block, application vulnerabilities, worms or Trojans.
34 Unified Threat Management April 27, 2005 34 Firewall Traffic Path Stateful Packet Inspection Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Signature Database ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT Deep Packet Inspection VirusFile! AuctionSite Gateway Anti-Virus Anti-Spyware Content Inspection Gateway Anti-Virus and Content Control
35 Unified Threat Management April 27, 2005 35 Firewall Traffic Path Stateful Packet Inspection Signature Database ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT Anti-Virus Content Filtering Service Deep Packet Inspection AV Database IPS Database Spy Database Content Filtering Database Gateway Anti-Virus Anti-Spyware Content Inspection Security Must Be Updated
36 SonicWALL Solutions
37 Unified Threat Management April 27, 2005 37 Value Innovation Philosophy Affordable Total Cost of Ownership Simple Easy to Install, Use & Manage Powerful Deep – Dynamic – Distributed
38 Unified Threat Management April 27, 2005 38 Unified Threat Management Appliance Firewall VPN Basic bandwidth Management Gateway AV, Intrusion Prevention and Anti- spyware Content Filtering Reporting Secure Wireless High Availability - Appliance ISP LoadBalancing/Failover Central Management
39 Unified Threat Management April 27, 2005 39 Dynamic Real-Time Protection Dynamic real-time threat scanning engine at the gateway Anti-Virus, Anti-spyware and Intrusion Prevention Protects Against: Viruses, spyware, worms, trojans, app vulnerabilities External and Internal protection Reassembly-free engine Scans & decompresses unlimited number of files & file sizes Supports over 50 protocol types including SMTP, IMAP, POP3 Email, HTTP – Web, FTP – File Transfer Peer to Peer Transfers, NetBios – Intra LAN Transfers, any stream-based protocol Updateable database by an expert signature team
40 Unified Threat Management April 27, 2005 40 The TZ Series is the ideal total security platform for small networks, providing a compelling blend of ease of use for basic networks and flexibility for more complex networks. Deep Packet Inspection Firewall WorkPort 5-port MDIX Switch Upgrade to SonicOS Enhanced 30 Days of IPS/AV/CFS Deep Packet Inspection Firewall Failover/Failback Analog Modem Upgrade to SonicOS Enhanced 5-port MDIX Switch 30 Days of IPS/AV/CFS Deep Packet Inspection Firewall Wireless/Wired Security 802.11b/g Radio Upgrade to SonicOS Enhanced 5-port MDIX Switch 30 Days of IPS/AV/CFS All the best features from each TZ 170 SHIPS WITH SonicOS Enhanced! 30 Days of IPS/AV/CFS Deep Packet Inspection Firewall Supports up to 10 nodes 4-port MDIX LAN Switch 30 Days of IPS/AV/CFS TZ 170 TZ 170 SP Wireless TZ 170 Wireless TZ 170 SP TZ 150
41 Unified Threat Management April 27, 2005 41 The PRO Series is a multi-service security platform for companies requiring rock solid network protection coupled with fast, secure VPN access for remote employees. PRO 2040PRO 5060PRO 4060PRO 3060 Small-to-medium networks up to 200 nodes Deep Packet Inspection Engine Unlimited Nodes 10 VPN Clients 30 Days of IPS/AV/CFS Businesses with complex networks Deep Packet Inspection Engine 6 User-defined Interfaces Unlimited Nodes 25 VPN Clients 30 Days of IPS/AV/CFS Businesses with complex network and VPN requirements Deep Packet Inspection Engine SonicOS Enhanced 6 User-defined Interfaces Unlimited Nodes 1,000 VPN Clients 1 Year of SonicWALL IPS Medium-to-large enterprise networks requiring Gigabit performance Copper & Copper/Fiber Versions Deep Packet Inspection Engine SonicOS Enhanced 2,000 VPN Clients 1 Year of SonicWALL IPS SonicOS Enhanced upgrade provides ISP failover, object-based management, policy-based NAT, 4+ interface support, and Distributed Wireless PRO 1260 Small networks up to 25 nodes Deep Packet Inspection Engine 30 Days of IPS/AV/CFS
42 Unified Threat Management April 27, 2005 42 Understanding Spam
43 Unified Threat Management April 27, 2005 43 Tactical Content Management Forged email address and Envelope Fools recipient into opening
44 Unified Threat Management April 27, 2005 44
45 Unified Threat Management April 27, 2005 45 Tactical Content Management Image only mails How will text based filters work?
46 Unified Threat Management April 27, 2005 46
47 Unified Threat Management April 27, 2005 47 Word and Token Manipulation Manipulate text in email so keyword matching fails
48 Unified Threat Management April 27, 2005 48
49 Unified Threat Management April 27, 2005 49 Uniqueness Generation Junk words Random words
50 Unified Threat Management April 27, 2005 50
51 Unified Threat Management April 27, 2005 51
52 Unified Threat Management April 27, 2005 52 URL obfuscation Proxy hides the origin HTML comment tags with random content
53 Unified Threat Management April 27, 2005 53
54 Unified Threat Management April 27, 2005 54
55 Unified Threat Management April 27, 2005 55 Token (colour) manipulation Same colour font and background (invisible text) OR Difficult to read text With random characters / junk words
56 Unified Threat Management April 27, 2005 56
57 Unified Threat Management April 27, 2005 57
58 Unified Threat Management April 27, 2005 58
59 Unified Threat Management April 27, 2005 59
60 Unified Threat Management April 27, 2005 60 HTML Tag Corruption Corrupt the tags so parsing is not possible!
61 Unified Threat Management April 27, 2005 61
62 Unified Threat Management April 27, 2005 62 Heuristic Grooming Negative Rule Bashing Legal disclaimiers, PGP Signature, Forgot passwords Problems for products!
63 Unified Threat Management April 27, 2005 63
64 Unified Threat Management April 27, 2005 64 Fooling Bayesian Filters Populate text with random Words Maybe invisible too!
65 Unified Threat Management April 27, 2005 65
66 Unified Threat Management April 27, 2005 66 Fooling Trainers and Collaborative Systems Use false tokens Increase the rate of false positives to un- acceptable levels Make the anti-spam solution unviable
67 Unified Threat Management April 27, 2005 67
68 All these spam samples were taken from ONE DAY’s spam mail!!
69 Unified Threat Management April 27, 2005 69 Web bugs/Spam Beacons Outlook mail client grabs images from Spammers website Spammer knows when you have opened the mail and probably knows your mail id as well
70 Unified Threat Management April 27, 2005 70 Metamorphic Spam Trojans Target neglected Always-On PCs Propogate through remote controlled Invisible hosting of Spammers Websites Auto-Installation of STMP server engine Hijacking PC and convert into proxy
71 Unified Threat Management April 27, 2005 71 Spamware Atomic Email Hunter Stealth Mail Master
72 Unified Threat Management April 27, 2005 72
73 Unified Threat Management April 27, 2005 73
74 Unified Threat Management April 27, 2005 74 Barracuda Anti-spam Solution From Barracuda Networks, USA
75 Unified Threat Management April 27, 2005 75 IIT Kanpur
76 Unified Threat Management April 27, 2005 76 Barracuda Spam Firewall Family Comprehensive solution Blocks spam and virus Enterprise class Robust and reliable Plug-and-play No per user licensing fees No changes needed to email servers Integrated hardware and software solution
77 Unified Threat Management April 27, 2005 77 Barracuda Spam Firewall Eliminates Spam and Virus Protects your email server and your company
78 Unified Threat Management April 27, 2005 78 Architecture: 10 Defense Layers High performance Easily scalable
79 Unified Threat Management April 27, 2005 79 Barracuda Spam Firewall Family Spam Firewall 100 250 users 500,000 mails/day Spam Firewall 300 1,000 users 4 million messages/day Spam Firewall 400 5000 users 10 million messages/day Spam Firewall 600 10,000 users 25 million messages/day Spam Firewall 800 25,000 users 30 million messages/day Clustering support for redundancy and higher capacity NEW! Outbound Product!
80 Thank You [email protected]
81 Unified Threat Management April 27, 2005 81 Advice to students on the proper use of the System Administrator's valuable time
82 Unified Threat Management April 27, 2005 82 Advice (1) Make sure to save all your MP3 files on your network drive. Sys Admin will back them up for you! Play with all the wires you can find. If you can't find enough, open something up to expose them. After you have finished, and nothing works anymore, put it all back together and call Sys Admin. Deny that you touched anything and that it was working perfectly only five minutes ago. Sys Admin just loves a good mystery. Never write down error messages. Just click OK, or restart your computer. Sys Admin likes to guess what the error message was.
83 Unified Threat Management April 27, 2005 83 Advice (2) If you get an EXE file in an email attachment, open it immediately. Sys Admin likes to make sure the anti-virus software is working properly When Sys Admin sends you an email marked as "Highly Important" or "Action Required", delete it at once. He's probably just testing some new- fangled email software.
84 Unified Threat Management April 27, 2005 84 Advice (3) When the photocopier doesn't work, call Sys Admin. There's electronics in it, so it should be right up his alley. When you're getting a NO DIAL TONE message at your home computer, call Sys Admin. He enjoys fixing telephone problems from remote locations. Especially on weekends and holidays When the printer won't print, re-send the job 20 times in rapid succession. That should do the trick.