Palo Alto Networks security solution - protection against new cyber-criminal threats focused on client-side vulnerabilities Mariusz Stawowski, Ph.D., CISSP Director of Professional Services, CLICO

ISO9001:2001 Agenda Introduction New client-side vulnerabilities used by cyber- criminals Next-Generation Firewall – en effective protection against attacks focused on end users A live demo of Palo Alto Networks security solution - unique features in practice Summary

ISO9001:2001 Introduction 90 ties Hackers were showing to the World their knowledge and achievements Nowadays Cyber-criminals’ activities are performed in an invisible way

ISO9001:2001 Introduction Source: Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation, the National White Collar Crime Center, and the Bureau of Justice Assistance –

ISO9001:2001 Introduction SANS The Top Cyber Security Risks 2009 Executive Summary Priority One: Client-side software that remains unpatched. Priority Two: Internet-facing web sites that are vulnerable. … Source: SANS Institute -

ISO9001:2001 Client-side Hacking Source: SANS Institute, „The Top Cyber Security Risks 2009” - Tutorial: Real Life HTTP Client-side Exploitation Example Step 0: Attacker Places Content on Trusted Site Step 1: Client-Side Exploitation Step 2: Establish Reverse Shell Backdoor Using HTTPS...

ISO9001:2001 Client-side Hacking Are we vulnerable? Every company can easily conduct the test to verify if their safeguards are able to protect IT systems against common client-side threats.

ISO9001:2001 Client-side Vulnerability Assessment Test 1. Control of dangerous applications The test objective is to verify if the Company’s safeguards properly detect and block dangerous applications, i.e.: P2P (file sharing), Tor (free access to Internet services, publishing network services), Web conferencing (desktop sharing). Security assessment should be conducted using real applications, i.e. Skype, smart P2P (e.g. Azureus) and Web session covered by Tor.

ISO9001:2001 Test 1. Control of dangerous applications Expected results Client-side Vulnerability Assessment

ISO9001:2001 Test 2. Client-side attacks in encrypted tunnels The test objective is to verify if the Company’s safeguards properly detect and block the attacks conducted in encrypted HTTPS traffic. Security assessment can be conducted using the following tools: Web server (e.g. Apache Tomcat) publishing Web page that contains exploits injected by vulnerabilities exploitation tool (e.g. Metasploit), SSL VPN gateway tunneling the attacks in SSL (e.g. SSL-Explorer). Client-side Vulnerability Assessment

ISO9001:2001 Test 2. Client-side attacks in encrypted tunnels Expected results Client-side Vulnerability Assessment

ISO9001:2001 Test 3. Hijacking user's application sessions The test objective is to verify if the Company’s safeguards properly detect and block unauthorized access to external Web proxy. Security assessment can be conducted using Burp proxy (or other intercepting proxy) in the following way: Web browser on internal user’s workstation should have proxy configured to external IP address where Burp is located. User opens HTTPS session to e-commerce or e-banking system. Intercepting proxy allows the intruders to change selected content of HTTP and HTTPS sessions (e.g. steal money from the user’s bank account, reveal the user’s credit card number and other confidential data). Client-side Vulnerability Assessment

ISO9001:2001 Test 3. Hijacking user's application sessions Expected results Client-side Vulnerability Assessment

ISO9001:2001 Detailed guidelines in ISSA Journal, November Client-side Vulnerability Assessment

ISO9001:2001 Next Generation Firewall

ISO9001:2001 Applications operate dynamically - Port ≠ Application - IP address User Most of Internet applications communicate using HTTP and HTTPS protocols; use dynamically assigned ports and encrypted tunnels. Network firewalls identify Web browsing on port 80 or 443, however in reality there are hundreds of different applications - P2P, IM, Skype, online games, file sharing, , etc. - Packet data Content (eg. encrypted) ≠ ≠

ISO9001:2001 Next Generation Firewall Fundamental security policy principle "Least Privilege" states that the network safeguards should block ALL TRAFFIC that was not explicitly defined by the policy as PERMITTED. "Least Privilege„ principle is main part of IT security standards (ISO 27001, PCI, etc.). Compliance with "Least Privilege" principle requires that the network safeguards must properly identify all network applications regardless of port, protocol, evasive tactic and encryption (like SSL).

ISO9001:2001 Next Generation Firewall

ISO9001:2001 Effective applications identification and control Firewalls do not recognize most of the applications.  Some applications and servers can be blocked on IPS (signatures) or Web Filtering (URL database).  As many applications (e.g. P2P, Skype, Tor) use encryption they cannot be identified by IPS signatures. There is a need for a firewall that is able to identify applications (not ports only) and its security policy describes allowed applications (and all other are denied). There is a need for a firewall that is able to identify applications (not ports only) and its security policy describes allowed applications (and all other are denied). More then 60% of applications are hidden from network firewalls

ISO9001:2001 Palo Alto Networks solution Firewall security policy describes allowed applications Firewall security policy describes allowed applications Profiles activate inspection AV, IPS, WF, etc. as well as bandwidth management (QoS) Profiles activate inspection AV, IPS, WF, etc. as well as bandwidth management (QoS) Effective applications identification and control

ISO9001:2001 Security Profiles identify malicious use of allowed applications. Firewall protects against network attacks and malicious code as well as with multi- gigabit throughput detects and filters illegal data transferred by applications (e.g. credit card numbers, specified documents). Data Filtering - stops sensitive information (e.g. SSN, CC#) from traversing trusted boundaries. Data objects defined as regular expressions (regex). File Filtering - identification and filtering of specified files sent by applications. Identification based on MIME type and file header (not extension).

ISO9001:2001 Firewall policy accurately defines users’ access to the network services and it's enforced even when the users change location and IP address. Firewall policy accurately defines users’ access to the network services and it's enforced even when the users change location and IP address. Firewall transparently verifies user’s identity (Active Directory, Citrix and TS integration). Firewall transparently verifies user’s identity (Active Directory, Citrix and TS integration). Effective users identification and control

ISO9001:2001 Content inspection of encrypted traffic Safeguards (firewall, IPS, etc.) do not analyze encrypted HTTPS traffic, where intruders and malicious code can easily break into internal networks. There is a need for the protections that decrypt non-trusted HTTPS traffic and properly analyze it (IPS, AV, etc.). There is a need for the protections that decrypt non-trusted HTTPS traffic and properly analyze it (IPS, AV, etc.). Encrypted traffic hides important threats

ISO9001:2001 Palo Alto Networks solution PAN certificate Server certificate Server SSL content inspection Firewall protects users surfing Internet against dangerous attacks in encrypted communication (i.e. malicious code, exploits for Web browser). PAN decrypts non-trusted HTTPS traffic and properly analyze it (IPS, AV, etc.). Firewall protects users surfing Internet against dangerous attacks in encrypted communication (i.e. malicious code, exploits for Web browser). PAN decrypts non-trusted HTTPS traffic and properly analyze it (IPS, AV, etc.). Content inspection of encrypted SSL traffic – outgoing to Internet and also incoming to company’s servers. PAN maintains internal Certificate Authority for dynamic certificates generation (root CA or subordinate to company’s root CA). For outgoing traffic the policy of HTTPS inspection accurately defines the servers that are not trusted and require control. Identification of non-trusted HTTPS servers is performed using pre- defined Web Filtering categories (e.g. Finanase-and-investment, Shopping) or addresses of known servers. Content inspection of encrypted traffic

ISO9001:2001 Visibility into Applications, Users & Content Dedicated graphical tools – the network visibility and control in scope of applications, users and content. Monitoring and reporting in real-time. Detailed analyze of users activities

ISO9001:2001 Next Generation Firewall A live demo

ISO9001:2001 Palo Alto Networks - technical features

ISO9001:2001 PAN-OS Interfaces: - Copper GB - SFP (1 GB) - XFP (10 GB) ad Link Aggregation Work modes: - L2 - L3 (OSPF i RIP) - V-wire - Tap High availability: - Active - Passive - Configuration and session synchronization - Status monitoring of devices, links and communication paths Virtualization: - VLAN (in L2 and L3) - Virtual routers - Virtual systems NETWORK FEATURES

ISO9001:2001 PAN-OS SECURITY FEATURES Firewall - network and application layers SSL traffic inspection NAT (ports, addresses) Bandwidth management - DiffServ - QoS Security technologies - App-ID, User-ID, Content-ID Content inspection - Anti-Virus - IPS & Anti-Spyware - Web Filtering - Data & File Filtering Transparent users authentication and control IPSec VPN - Route-based VPN (site-to-site) - SSL VPN

ISO9001:2001 App-ID: Comprehensive Application Visibility Policy-based control more than 800 applications distributed across five categories and 25 sub-categories Definition of customer applications Balanced mix of business, internet and networking applications and networking protocols ~ new applications added weekly

ISO9001:2001 User-ID: Enterprise Directory Integration Users no longer defined solely by IP address - Leverage existing Active Directory infrastructure Understand users application and threat behavior based on actual AD username, not just IP Manage and enforce policy based on user and/or AD group - also Citrix and MS TS agent Investigate security incidents, generate custom reports

ISO9001:2001 Content-ID: Real-Time Content Scanning Detect and block a wide range of threats, limit unauthorized file transfers and control non-work related web surfing - Stream-based, not file-based, for real-time performance  Uniform signature engine scans for broad range of threats in single pass  Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home) - Block transfer of sensitive data and file transfers by type  Looks for CC # and SSN patterns  Looks into file to determine type – not extension based - Web filtering enabled via fully integrated URL database

ISO9001:2001 Flexibility of security operations Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes – L3, transparent (L2) and sniffer. Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes – L3, transparent (L2) and sniffer. Cost effectiveness requires the protections virtualization – VLAN interfaces, virtual routes, and virtual systems. Cost effectiveness requires the protections virtualization – VLAN interfaces, virtual routes, and virtual systems. Networks and threats are changing

ISO9001:2001 Palo Alto Networks solution L2 – VLAN 10 L2 – VLAN 20 L3 – DMZ L3 – Internet Vwire Many work modes - Tap Mode, Virtual Wire, Layer 2, Layer 3 with dynamic routing protocols. Protections’ work mode adjusted to the requirements – network interfaces in one device can work in different modes. Security virtualization – VLAN interfaces in L2 and L3, virtual routers and virtual systems. Tap – Core Switch Flexibility of security operations

ISO9001:2001 Inspection without performance degradation Application inspection of the network traffic performed on many inspection modules (IPS, AV, etc.) makes huge performance degradation. There is a need for the protections that in one inspection module working with multi-gigabit performance can identify and completely analyze an application traffic. There is a need for the protections that in one inspection module working with multi-gigabit performance can identify and completely analyze an application traffic. Application inspection makes performance degradation FW module WF module IPS module AV module

ISO9001:2001 Palo Alto Networks solution One module for the network traffic analyze using shared database of universal signatures for content inspection. Purpose-built, hardware architecture: protection tasks performed on dedicated hardware elements, separation of control and traffic processing modules. L2/L3 Networking, HA, Config Management, Reporting App-ID Content-ID Policy Engine Application Protocol Detection and Decryption Application Protocol Decoding Heuristics Application Signatures URL Filtering Threat Prevention Data Filtering User-ID Inspection without performance degradation

ISO9001:2001 Viruses Spyware Files Spyware “Phone Home” Vulnerability Exploits Worms(Future) Stream-Based Matching Uniform Signature Format One module for the network traffic analyze using shared database of universal signatures for Intrusion Prevention, Anti-Virus, Anti-Spyware, etc. Inspection without performance degradation

ISO9001:2001 Flash Matching HW Engine Uniform signatures matching Multi-Core Security Processor Hardware accelerated SSL, IPSec, decompression Flash Matching Engine RAM Dual-core CPU RAM HDD 10 Gig Network Processor Hardware accelerated QoS, route lookup, MAC lookup and NAT CPU 16. SSLIPSecDe-Comp. CPU 1 CPU 2 Control Plane Data Plane RAM CPU 3 QoS Route, ARP, MAC lookup NAT Purpose-built, hardware architecture: protection tasks performed on dedicated hardware elements (Flash Matching HW, SSL/IPSec Enc. HW, Network Processor), separation of control and traffic processing modules. Inspection without performance degradation

ISO9001:2001 Security management CLI and graphical Web console CLI and graphical Web console Central management system - Panorama Central management system - Panorama Role-based administration enables delegation of tasks to appropriate person Role-based administration enables delegation of tasks to appropriate person Local user database and RADIUS Local user database and RADIUS Admin audit Admin audit Syslog, SNMP and reporting Syslog, SNMP and reporting XML-based API XML-based API

ISO9001:2001 Security management Active and candidate configurations Active and candidate configurations Rollback, quick comparison of different configurations Rollback, quick comparison of different configurations >commit

ISO9001:2001 Analysis, monitoring and reporting © 2008 Palo Alto Networks. Proprietary and Confidential. Page 41 |

ISO9001:2001 Device models Remote Office/ Medium Enterprise Large Enterprise Performance Seria PA Gb Seria PA Mb 2Gb 10Gb 10Gb z XFPs 250Mb Annual Subscriptions Threats prevention+20% URL filtering +20% Support +16%

ISO9001:2001 PA Mbps firewall throughput Mbps threat prevention throughput - 50 Mbps IPSec VPN throughput IPSec VPN tunnels and tunnel interfaces - 7,500 new sessions per second - 64,000 max sessions - (8) 10/100/ (1) 10/100/1000 out of band management interface - (1) 1 RJ-45 console interface

ISO9001:2001 PA-2000 Series - 1U rack-mountable chassis - Single non-modular power supply - 80GB hard drive (cold swappable) - Dedicated out-of-band management port - RJ-45 console port, user definable HA port PA Gbps FW 500 Mbps threat prevention 250,000 sessions 16 copper gigabit 4 SFP interfaces PA Mbps FW 200 Mbps threat prevention 125,000 sessions 12 copper gigabit 2 SFP interfaces

ISO9001:2001 PA-4000 Series - 2U, 19” rack-mountable chassis - Dual hot swappable AC power supplies - Dedicated out-of-band management port - 2 dedicated HA ports - DB9 console port PA Gbps FW 5 Gbps threat prevention 2,000,000 sessions 16 copper gigabit 8 SFP interfaces PA Gbps FW 2 Gbps threat prevention 500,000 sessions 16 copper gigabit 8 SFP interfaces PA Gbps FW 5 Gbps threat prevention 2,000,000 sessions 4 XFP (10 Gig) I/O 4 SFP (1 Gig) I/O

ISO9001:2001 Summery

ISO9001:2001 Palo Alto Networks – unique features 1.Identifies applications regardless of port numbers, tunneling and encryption protocols (including P2P and IM). Firewall policy rules explicitly define what applications are permitted. More then 60% of applications are hidden from network firewalls. ISO 27001, A Policy on use of network services. The users should only be provided with access to the services that they have been specifically authorized to use. Control of applications is an essential requirement of IT security standards (ISO 27001, PCI, etc.) - The Principle of Least Privilege. Control of applications is an essential requirement of IT security standards (ISO 27001, PCI, etc.) - The Principle of Least Privilege. Common firewall, IPS and UTM are not able to fulfill this requirement. Common firewall, IPS and UTM are not able to fulfill this requirement.

ISO9001:2001 Palo Alto Networks – unique features 2.Protects the users surfing Internet against dangerous attacks in encrypted communication (e.g. malicious code, exploits for Web browsers). Non-trusted HTTPS traffic is decrypted and properly inspected (IPS, AV, etc.). Common safeguards (network firewall, IPS, etc.) do not analyze encrypted SSL traffic, where intruders and malicious code can easily break into internal networks.

ISO9001:2001 Palo Alto Networks – unique features 3.Performs the security tasks on the network interfaces operating in different work modes (L2, L3, Tap, VLAN in L2 and L3). If needed the security device in one time can work in different modes. Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes – L3, transparent (L2) and sniffer. Common network safeguards can work only in one selected mode. L2 – VLAN 10 L2 – VLAN 20 L3 – DMZ Vwire Tap – Core Switch L3 – Internet

ISO9001:2001 Palo Alto Networks – unique features 4.Performs accurate application inspection (IPS, AV, etc.) without performance degradation (one inspection path - shared database of universal signatures, purpose- built hardware architecture). Application inspection in common UTM is performed on many inspection modules (IPS, AV, WF, etc.) based on products from different vendors. It makes huge performance degradation. It makes huge performance degradation. FW module WF module IPS module AV module L2/L3 Networking, HA, Config Management, Reporting App-ID Content-ID Policy Engine Application Protocol Detection and Decryption Application Protocol Decoding Heuristics Application Signatures URL Filtering Threat Prevention Data Filtering User-ID

ISO9001:2001 Palo Alto Networks – unique features 5.Manages the network bandwidth with QoS polices that are defined per applications, users, IP addresses, interfaces, VPN tunnels and other parameters. 6.Transparently authenticates an identity of users in the network (AD, TS, Citrix integration). Firewall policy accurately defines user access permissions to the applications and enforce it even the users change location and IP address. 7.Provides granular visibility and policy control over applications, users and content.

ISO9001:2001 Deployment scenarios Visibility / Monitor Firewall Augmentation Firewall Replacement Connect to span port Provides application visibility without inline deployment Deploy transparently behind existing firewall Provides application visibility & control without networking changes Replace existing firewall Provides application and network-based visibility and control, consolidated policy, high performance