Unified Threat Management Peter Theobald CEO, IT Secure Presentation at Sys Admin Workshop, IIT Kanpur Oct 21, 2005.

1 Unified Threat Management Peter Theobald CEO, IT Secure...

Author: Abner Young

0 downloads 16 Views

1 Unified Threat Management Peter Theobald CEO, IT Secure Presentation at Sys Admin Workshop, IIT Kanpur Oct 21, 2005

2 Unified Threat Management April 27, 2005 2 IIT Kanpur Sys Admin Workshop Quiz  When is “Sys Admin Appreciation Day”?

3 Unified Threat Management April 27, 2005 3

4 Unified Threat Management April 27, 2005 4

5 Unified Threat Management April 27, 2005 5 Sys Admin’s have a tough enough job already..  What about Security threats?  How serious are they?  What is the most effective and cost efficient way to handle them?

6 Unified Threat Management April 27, 2005 6 Current Trends  Speed & sophistication of cyber-attacks is dramatically increasing  Blended threats, hybrid attacks and automated tools have become popular and getting them is easy  Critical infrastructure is dependant on Internet, and threats are progressively more unpredictable  Security problems cost time, money and pain

7 Unified Threat Management April 27, 2005 7 Intruders High Low 1980198519901995 2004 Intruder Knowledge Attack Sophistication Cross site scripting password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Staged Auto Coordinated Attack Sophistication vs. Intruder Technical Knowledge

8 Unified Threat Management April 27, 2005 8 Vulnerability in Software  “99% of intrusions result from exploitation of known vulnerabilities” Source: 2001 CERT, Carnegie Mellon University  Cause: Software vulnerabilities are caused by programming of source code without proper checks and buffer handling  Threat: Facilitated by not applying patches to vulnerable machines, and having those machines exposed on the network to outside threats  The recent Slammer Worm exploited a SQL vulnerability for which a patch had been available since July, 2002

9 Unified Threat Management April 27, 2005 9 E-mail Viruses  E-mail has become the primary means for distributing threats  Trojans are easy to deliver and install  HTML viruses (no user intervention) with webmail  E-mails with attachments containing:  Macros, VB scripts, java scripts and html scripts Corp Network

10 Unified Threat Management April 27, 2005 10 File Based Threats  Example: Internet download  Viruses and malicious code infection:  Peer to Peer  Instant Messaging apps  Shareware sites  Compromised servers  Legitimate corporations  Web based email  Threats pass through stateful packet inspection firewalls  Once inside the network, others are easily affected Corp Network File Server Request Download

11 Unified Threat Management April 27, 2005 11 File Based Threats  Example: Netbios file transfers  Viruses can be uploaded to network drives  Once on the network drive users can be affected  Nimda was a virus that attacked file servers and opened up a hole to allow a hacker to obtain control of the server Corp Network File Server

12 Unified Threat Management April 27, 2005 12 Application Attacks  Unpatched Servers: Scob  Servers do not get up to date patches  Attacker sends malicious code through a buffer overflow  Executes program instructions to the victims computer for execution  Can also be used as denial- of-service attack, causing the computer to crash  Server is infected  New users who access server get infected Malicious Hacker Buffer Overflow Access

13 Unified Threat Management April 27, 2005 13 Software Development Mistakes CERT Advisories Configuration Error Design Error Unknown 6% Input Validation Error Boundary Condition Error Failure to Handle Exceptional Conditions Access Validation Error 3% 2% Security Focus Buffer Overflows Format String Double Free Integer Overflow Others

14 Unified Threat Management April 27, 2005 14 A Complete Attack: MyTob

15 Unified Threat Management April 27, 2005 15 MyTob Worm  Discovered on: February 26, 2005  W32.Mytob.@mm is a mass-mailing worm that propagates via network shares and through email  Uses its own SMTP engine to send an email to local email addresses  Exploits the Microsoft Windows LSASS Remote Buffer Overflow and RPC/DCom  Opens a back door into the affected computer  Self protects by redirecting AV updates to local computer

16 Unified Threat Management April 27, 2005 16 Step 1: Arrives as an email or buffer overflow Server ZoneUser Zone  Copies itself as %System%\msnmsgs.exe  Adds the value: “MSN” = “msnmsgs.exe” to registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\OLE HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa  W32.Mytob@mm runs every time Windows starts

17 Unified Threat Management April 27, 2005 17

18 Unified Threat Management April 27, 2005 18 Step 2: Loads itself into memory Server ZoneUser Zone  Since the exe is now in start up, “msnmsgs.exe” is loaded into memory  “HELLBOT” by Diablo is clearly advertised to show who wrote the program

19 Unified Threat Management April 27, 2005 19 Step 3: Logs in to an IRC channel Server ZoneUser Zone IDP  Connects to an IRC channel on the irc.blackcarder.net domain on TCP port 6667  Advertises host PC IP address  listens for commands that allow the remote attacker to perform the following actions:  Download files  Execute files  Delete files  Update itself  Get uptime information IRC Server

20 Unified Threat Management April 27, 2005 20 Step 4: Generate potential targets and attack Server ZoneUser Zone  Generates random IP addresses  Exploits the RPC/DCOM vulnerability  Allows the program to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service  Exploits the Windows LSASS vulnerability  This is a buffer overflow that allows remote code execution and enables a malicious user to gain full control of the affected system Random IPs

21 Unified Threat Management April 27, 2005 21 Step 5: Use its own SMTP server to send itself Server ZoneUser Zone  Searches for email addresses on local computer .wab .adb .tbb .dbx  From: “Spoofed” Subject:  hello  hi  error  status Find Email Addresses .asp  php .sht .htm  Mail Transaction Failed  Mail Delivery System  SERVER REPORT  (No Subject)  (random alphabets)

22 Unified Threat Management April 27, 2005 22 Understanding Spyware

23 Unified Threat Management April 27, 2005 23 What is Spyware/Adware?  Spyware is any software that utilizes a computer’s Internet access without the host’s knowledge or explicit permission  According to certain experts, approximately 90% of computers have some form of Spyware  Aids in gathering information:  Browsing habits (sites visited, links clicked, etc.)  Data entered into forms (including account names, passwords, text of Web forms and Web-based email, etc.)  Key stokes and work habits

24 Unified Threat Management April 27, 2005 24 Spyware Infection Server ZoneUser Zone  A - Downloading programs  Kazaa / screensavers / windows utilities  Download managers / file sharing sw / demo software  B - Trojans that are delivered or downloaded in e-mail  C - In free, banner ad-based software - Popups  D - The most notorious enabler of Spyware is Microsoft’s ActiveX module Random IPs A B C/D

25 Unified Threat Management April 27, 2005 25  Stateful Packet Inspection (SPI) is limited protection  Provides source / destination / state intelligence  Provides network address translation  Stateful firewalls cannot protect against threats that are application layer based, file or email based Today’s Aging Technology

26 Unified Threat Management April 27, 2005 26 Firewall Technology Server ZoneUser Zone  Typical firewalls are effective for port blocking  If a port is open it is assumed any data can pass  Intrusion detection is a “reactive” approach that does not actively protect  Security must be built upon deep packet inspection, AV/Spy/Intrusion prevention with dynamic updates

27 Unified Threat Management April 27, 2005 27 The New Standard - UTM  Unified Threat Management  Integration of Firewall  Deep Packet Inspection  Intrusion Prevention for blocking network threats  Anti-Virus for blocking file based threats  Anti-Spyware for blocking Spyware  Faster updates to the dynamic changing threat environment and elimination of False Positives

28 Unified Threat Management April 27, 2005 28 Deep Packet Inspection- Unified Threat Mmt Zone based security Protect internally Gateway Anti-Virus Scan through unlimited files sizes Scan through unlimited connections Scan over more protocols than any similar solution Anti-Spyware for protection against malicious programs Blocks the installation of spyware Blocks Spyware that is emailed and sent internally Applications Layer Threat Protection: Full protection from Trojan, worm, blended and polymorphic threats SonicWALL IPS/GAV Dynamic Updates Server Zone User Zone Dept Zone DPI PRO Series as a Prevention Solution Full L2-7 signature- based inspection Application awareness DPI: Intrusion Prevention /Gateway AV/ Anti-Spy

29 Unified Threat Management April 27, 2005 29 Technology: Behind the Scenes

30 Unified Threat Management April 27, 2005 30 Hidden threats Firewall Traffic Path Network communication, like email, file transfers and web sessions are packetized Typical User Activity 4321 Typical Network Traffic: Email Our World View Firewall View Traffic = multiple packets of information DATA HEA DER One Packet = Header info and Data

31 Unified Threat Management April 27, 2005 31 Firewall Traffic Path INSPECT Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Source 212.56.32.49 Destination 65.26.42.17 Source Port 823747 Dest Port 80 Sequence 28474 Sequence 2821 Syn state SYN IP Option none Stateful Packet Inspection Stateful Packet Inspection Stateful is limited inspection that can only block on ports No Data Inspection!

32 Unified Threat Management April 27, 2005 32 Firewall Traffic Path INSPECT Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Signature Database ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT INSPECT Stateful Packet Inspection Deep Packet Inspection Deep Packet Inspection Deep Packet Inspection inspects all traffic moving through a device

34 Unified Threat Management April 27, 2005 34 Firewall Traffic Path Stateful Packet Inspection Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum DATA Signature Database ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT Deep Packet Inspection VirusFile! AuctionSite Gateway Anti-Virus Anti-Spyware Content Inspection Gateway Anti-Virus and Content Control

35 Unified Threat Management April 27, 2005 35 Firewall Traffic Path Stateful Packet Inspection Signature Database ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT Anti-Virus Content Filtering Service Deep Packet Inspection AV Database IPS Database Spy Database Content Filtering Database Gateway Anti-Virus Anti-Spyware Content Inspection Security Must Be Updated

36 SonicWALL Solutions

37 Unified Threat Management April 27, 2005 37 Value Innovation Philosophy  Affordable  Total Cost of Ownership  Simple  Easy to Install, Use & Manage  Powerful  Deep – Dynamic – Distributed

38 Unified Threat Management April 27, 2005 38 Unified Threat Management Appliance  Firewall  VPN  Basic bandwidth Management  Gateway AV, Intrusion Prevention and Anti- spyware  Content Filtering  Reporting  Secure Wireless  High Availability - Appliance  ISP LoadBalancing/Failover  Central Management

39 Unified Threat Management April 27, 2005 39 Dynamic Real-Time Protection  Dynamic real-time threat scanning engine at the gateway  Anti-Virus, Anti-spyware and Intrusion Prevention  Protects Against: Viruses, spyware, worms, trojans, app vulnerabilities  External and Internal protection  Reassembly-free engine  Scans & decompresses unlimited number of files & file sizes  Supports over 50 protocol types including  SMTP, IMAP, POP3 Email, HTTP – Web, FTP – File Transfer  Peer to Peer Transfers, NetBios – Intra LAN Transfers, any stream-based protocol  Updateable database by an expert signature team

40 Unified Threat Management April 27, 2005 40 The TZ Series is the ideal total security platform for small networks, providing a compelling blend of ease of use for basic networks and flexibility for more complex networks.  Deep Packet Inspection Firewall  WorkPort  5-port MDIX Switch  Upgrade to SonicOS Enhanced  30 Days of IPS/AV/CFS  Deep Packet Inspection Firewall  Failover/Failback  Analog Modem  Upgrade to SonicOS Enhanced  5-port MDIX Switch  30 Days of IPS/AV/CFS  Deep Packet Inspection Firewall  Wireless/Wired Security  802.11b/g Radio  Upgrade to SonicOS Enhanced  5-port MDIX Switch  30 Days of IPS/AV/CFS  All the best features from each TZ 170  SHIPS WITH SonicOS Enhanced!  30 Days of IPS/AV/CFS  Deep Packet Inspection Firewall  Supports up to 10 nodes  4-port MDIX LAN Switch  30 Days of IPS/AV/CFS TZ 170 TZ 170 SP Wireless TZ 170 Wireless TZ 170 SP TZ 150

41 Unified Threat Management April 27, 2005 41 The PRO Series is a multi-service security platform for companies requiring rock solid network protection coupled with fast, secure VPN access for remote employees. PRO 2040PRO 5060PRO 4060PRO 3060  Small-to-medium networks up to 200 nodes  Deep Packet Inspection Engine  Unlimited Nodes  10 VPN Clients  30 Days of IPS/AV/CFS  Businesses with complex networks  Deep Packet Inspection Engine  6 User-defined Interfaces  Unlimited Nodes  25 VPN Clients  30 Days of IPS/AV/CFS  Businesses with complex network and VPN requirements  Deep Packet Inspection Engine  SonicOS Enhanced  6 User-defined Interfaces  Unlimited Nodes  1,000 VPN Clients  1 Year of SonicWALL IPS  Medium-to-large enterprise networks requiring Gigabit performance  Copper & Copper/Fiber Versions  Deep Packet Inspection Engine  SonicOS Enhanced  2,000 VPN Clients  1 Year of SonicWALL IPS SonicOS Enhanced upgrade provides ISP failover, object-based management, policy-based NAT, 4+ interface support, and Distributed Wireless PRO 1260  Small networks up to 25 nodes  Deep Packet Inspection Engine  30 Days of IPS/AV/CFS

42 Unified Threat Management April 27, 2005 42 Understanding Spam

43 Unified Threat Management April 27, 2005 43 Tactical Content Management  Forged email address and Envelope  Fools recipient into opening

44 Unified Threat Management April 27, 2005 44

45 Unified Threat Management April 27, 2005 45 Tactical Content Management Image only mails  How will text based filters work?

46 Unified Threat Management April 27, 2005 46

47 Unified Threat Management April 27, 2005 47 Word and Token Manipulation  Manipulate text in email so keyword matching fails

48 Unified Threat Management April 27, 2005 48

49 Unified Threat Management April 27, 2005 49 Uniqueness Generation  Junk words  Random words

50 Unified Threat Management April 27, 2005 50

51 Unified Threat Management April 27, 2005 51

52 Unified Threat Management April 27, 2005 52 URL obfuscation  Proxy hides the origin  HTML comment tags with random content

53 Unified Threat Management April 27, 2005 53

54 Unified Threat Management April 27, 2005 54

55 Unified Threat Management April 27, 2005 55 Token (colour) manipulation  Same colour font and background (invisible text)  OR  Difficult to read text  With random characters / junk words

56 Unified Threat Management April 27, 2005 56

57 Unified Threat Management April 27, 2005 57

58 Unified Threat Management April 27, 2005 58

59 Unified Threat Management April 27, 2005 59

60 Unified Threat Management April 27, 2005 60 HTML Tag Corruption  Corrupt the tags so parsing is not possible!

61 Unified Threat Management April 27, 2005 61

62 Unified Threat Management April 27, 2005 62 Heuristic Grooming  Negative Rule Bashing  Legal disclaimiers, PGP Signature, Forgot passwords  Problems for products!

63 Unified Threat Management April 27, 2005 63

64 Unified Threat Management April 27, 2005 64 Fooling Bayesian Filters  Populate text with random Words  Maybe invisible too!

65 Unified Threat Management April 27, 2005 65

66 Unified Threat Management April 27, 2005 66 Fooling Trainers and Collaborative Systems  Use false tokens  Increase the rate of false positives to un- acceptable levels  Make the anti-spam solution unviable

67 Unified Threat Management April 27, 2005 67

68 All these spam samples were taken from ONE DAY’s spam mail!!

69 Unified Threat Management April 27, 2005 69 Web bugs/Spam Beacons  Outlook mail client grabs images from Spammers website  Spammer knows when you have opened the mail and probably knows your mail id as well

70 Unified Threat Management April 27, 2005 70 Metamorphic Spam Trojans  Target neglected Always-On PCs  Propogate through remote controlled  Invisible hosting of Spammers Websites  Auto-Installation of STMP server engine  Hijacking PC and convert into proxy

71 Unified Threat Management April 27, 2005 71 Spamware  Atomic Email Hunter  Stealth Mail Master

72 Unified Threat Management April 27, 2005 72

73 Unified Threat Management April 27, 2005 73

74 Unified Threat Management April 27, 2005 74 Barracuda Anti-spam Solution  From Barracuda Networks, USA

75 Unified Threat Management April 27, 2005 75 IIT Kanpur

76 Unified Threat Management April 27, 2005 76 Barracuda Spam Firewall Family  Comprehensive solution  Blocks spam and virus  Enterprise class  Robust and reliable  Plug-and-play  No per user licensing fees  No changes needed to email servers  Integrated hardware and software solution

77 Unified Threat Management April 27, 2005 77 Barracuda Spam Firewall  Eliminates Spam and Virus  Protects your email server and your company

78 Unified Threat Management April 27, 2005 78 Architecture: 10 Defense Layers  High performance  Easily scalable

79 Unified Threat Management April 27, 2005 79 Barracuda Spam Firewall Family  Spam Firewall 100  250 users  500,000 mails/day  Spam Firewall 300  1,000 users  4 million messages/day  Spam Firewall 400  5000 users  10 million messages/day  Spam Firewall 600  10,000 users  25 million messages/day  Spam Firewall 800  25,000 users  30 million messages/day Clustering support for redundancy and higher capacity NEW! Outbound Product!

80 Thank You [email protected]

81 Unified Threat Management April 27, 2005 81 Advice to students on the proper use of the System Administrator's valuable time

82 Unified Threat Management April 27, 2005 82 Advice (1)  Make sure to save all your MP3 files on your network drive. Sys Admin will back them up for you!  Play with all the wires you can find. If you can't find enough, open something up to expose them. After you have finished, and nothing works anymore, put it all back together and call Sys Admin. Deny that you touched anything and that it was working perfectly only five minutes ago. Sys Admin just loves a good mystery.  Never write down error messages. Just click OK, or restart your computer. Sys Admin likes to guess what the error message was.

83 Unified Threat Management April 27, 2005 83 Advice (2)  If you get an EXE file in an email attachment, open it immediately. Sys Admin likes to make sure the anti-virus software is working properly When Sys Admin sends you an email marked as "Highly Important" or "Action Required", delete it at once. He's probably just testing some new- fangled email software.

84 Unified Threat Management April 27, 2005 84 Advice (3)  When the photocopier doesn't work, call Sys Admin. There's electronics in it, so it should be right up his alley.  When you're getting a NO DIAL TONE message at your home computer, call Sys Admin. He enjoys fixing telephone problems from remote locations. Especially on weekends and holidays  When the printer won't print, re-send the job 20 times in rapid succession. That should do the trick.

Unified Threat Management Peter Theobald CEO, IT Secure Presentation at Sys Admin Workshop, IIT Kanpur Oct 21, 2005.

Recommend Documents