Presentation is loading. Please wait.

Presentation is loading. Please wait.

Moving Security Enforcement into the Heart of the Network

Published byCharlotte Butler Modified over 6 years ago

Similar presentations

Presentation on theme: "Moving Security Enforcement into the Heart of the Network"— Presentation transcript:

1 Moving Security Enforcement into the Heart of the Network
Peter Benson CEO Security-Assessment.com October, 2005

2 Agenda Evolution of Threats Why Network Access Control Matters
The Laws of Vulnerabilities Network Access Control Architectures Summary and Action

3 Security Trend Indicators
Malicious Code (↑) Vulnerabilities (↑) Spam and Spyware (↑) Phishing and Identity Theft (↑) ….and Time to Exploitation (↓) 

4 Where are the issues ? A Multitude of insecure Protocols and Services
telnet, ftp, snmp Known default settings Passwords, SNMP community strings System Design Errors Setup and Access control errors Software Implementation Flaws Input validation, lack of sanity checks User Triggered Issues and Browser related

5 First Generation Threats
Spreading mostly via , file-sharing Human Action Required Virus-type spreading / No vulnerabilities Examples: Melissa Macro Virus, LoveLetter VBScript Worm Replicates to other recipients Discovery/Removal: Antivirus

6 Second Generation Threats
Active worms Leveraging known vulnerabilities Low level of sophistication in spreading strategy (i.e. randomly) Non Destructive Payloads Remedy: Identify and Fix Vulnerabilities

7 Third Generation Threats
Automated Attacks Leveraging Known and Unknown Vulnerabilities Collaboration of Social Engineering and Automated Attacks Multiple Attack Vectors , Web, IM, Vulnerabilities,… Active Payloads Remedy: Security Enforcement / Network Access Control

8 Evolution of Network Access Control
Today: Static network access Every device is permitted Infected or unhealthy devices are frequently the root of an outbreak Tomorrow: Dynamic network access based on policies Screening devices before granting access Infected or unhealthy devices should be treated separately

9 “Anyone can build a stop sign – or even a traffic light – but it takes a different mind-set entirely to conceive of a city-wide traffic control system.” Bruce Schneier – Beyond Fear

10 Building Blocks of Network Access Control
Assessment of Endpoint Security Decision making based on policy compliance Admission Enforcement at Network infrastructure Quarantining/Remediation of unhealthy devices

11 A Common Framework for Network Access Control
Network Access Infrastructure Quarantine Network Client Main Network Policy Manager

12 Why Network Access Control Matters
Objective: Understanding prevalence of critical vulnerabilities over time in real world Timeframe: January Ongoing Data Source: 70% Global Enterprise networks 30 % Random trials Methodology: Automatic Data collection with statistical data only – no possible correlation to individual user or systems

13 Raw Results Largest collection of global real-world vulnerability data: 14,818,000 IP-Scans since begin 2002 2,275 out of 3,374 unique vulnerabilities detected in the real world 3,834,000 total critical* vulnerabilities found 1,031 out of 1,504 unique critical vulnerabilities detected in the real world Analysis Performed: Identifying Window of Exposure Lifespan of Critical Vulnerabilities Resolution Response Trend over Time Vulnerability Prevalence * Providing an attacker the ability to gain full control of the system, and/or leakage of highly sensitive information. For example, vulnerabilities may enable full read and/or write access to files, remote execution of commands, and the presence of backdoors.

14 Microsoft WebDAV Vulnerability
Microsoft Windows 2000 IIS WebDAV Buffer Overflow Vulnerability CAN Qualys ID 86479 Released: March 2003

15 WU-FTPd File Globbing Heap Corruption Vulnerability
CVE Qualys ID 27126 Released: November 2001

16 Microsoft Windows ASN.1 Library Integer Handling Vulnerability
CAN Qualys ID 90103 Released: February 2004

17 Buffer overflow in Microsoft Local Security Authority Subsystem Service (LSASS)
CAN Qualys ID 90108 Released: April 2004

18 External vs. Internal Vulnerabilities
For a critical vulnerability every 21 days (62 days on internal networks) 50 % of vulnerable systems are being fixed 100% 75% 50% 25% 21 days 42 days 63 days 84 days 105 days 126 days 147 days 168 days 189 days

19 SSL Server Allows Cleartext Communication
Qualys ID 38143

20 SQL Slammer Vulnerability
MS-SQL 8.0 UDP Slammer Worm Buffer Overflow Vulnerability CAN Qualys ID 19070 Released: July 2002

21 A Continuous Cycle of Infection

22 Vulnerability Lifespan
100% The lifespan of some vulnerabilities and worms is unlimited 75% 50% 25% 21 days 42 days 63 days 84 days 105 days 126 days

23 The Impact of an Exploit
100% 80% of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities Witty, Sasser, Blaster 75% 50% 25% 21 days 42 days 63 days 84 days 105 days 126 days

24 Mapping Vulnerability Prevalence
Individual Vulnerabilities

25 The Changing Top of the Most Prevalent
Vulnerability CVE Jul-02 Jan-03 Jul-03 Jan-04 Jul-04 Apache Mod_SSL Buffer Overflow Vulnerability CVE x Microsoft Exchange 2000 Malformed Mail Attribute DoS Vulnerability CVE Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability CVE Microsoft IIS FTP Connection Status Request Denial of Service Vulnerability CVE Microsoft IIS Chunked Encoding Transfer Heap Overflow Vulnerability CVE Microsoft IIS HTR ISAPI Extension Heap Overflow Vulnerability CVE Microsoft IIS 4.0/5.0 Extended UNICODE Remote Execution Vulnerability CVE Microsoft IIS CGI Filename Decode Error Vulnerability CVE Microsoft IIS Malformed HTR Request Buffer Overflow Vulnerability CVE Microsoft IIS HTR Chunked Encoding Transfer Heap Overflow Vulnerability Apache Chunked-Encoding Memory Corruption Vulnerability CVE OpenSSH Challenge-Response Authentication Integer Overflow Vulnerability CVE Multiple Vendor SNMP Request And Trap Handling Vulnerabilities CAN ISC BIND SIG Cached Resource Record Buffer Overflow (sigrec bug) Vulnerability CAN Microsoft Windows 2000 IIS WebDAV Buffer Overflow Vulnerability CAN Sendmail Address Prescan Possible Memory Corruption Vulnerability CAN Microsoft SMB Request Handler Buffer Overflow Vulnerability CAN Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability CAN Microsoft DCOM RPCSS Service Vulnerabilities CAN Microsoft Messenger Service Buffer Overrrun Vulnerability CAN Buffer Overflow in Microsoft Local Security Authority Subsystem Service (LSASS) CAN Microsoft RPCSS Code Execution Variant CAN Microsoft Windows ASN.1 Library Integer Handling Vulnerability CAN 50% of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis

26 Top 10 External (Most Prevalent and Critical Vulnerabilities) as of June, 2005
Title Qualys ID CVE Reference External Reference Microsoft Windows ntdll.dll Buffer Overflow Vulnerability 86479 CAN MS03-007 Buffer overflow in Microsoft Local Security Authority Subsystem Service (LSASS) 90108 CAN MS04-011 Buffer Management Vulnerability in OpenSSH 38217 CAN CA Sendmail Prescan() Variant Remote Buffer Overrun Vulnerability 50080 CAN CA Microsoft Windows RPC Runtime Library Vulnerability 68528 CAN MS04-012 Microsoft Windows ASN.1 Library Integer Handling Vulnerability 90103 CAN MS04-007 Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities 09244 CAN MS05-019 Writeable SNMP Information 78031 N/A Unauthenticated Access to FTP Server Allowed 27210 SSL Server Allows Cleartext Communication Vulnerability 38143

27 Top 10 Internal (Most Prevalent and Critical Vulnerabilities) as of June, 2005
Title Qualys ID CVE Reference External Reference Microsoft SQL Weak Database Password 19001 CAN N/A Buffer overflow in Microsoft Local Security Authority Subsystem Service 90108 CAN MS04-011 Microsoft Messenger Service Buffer Overrun Vulnerability 70032 CAN MS03-043 Microsoft Windows RPC Runtime Library Vulnerability 68528 CAN MS04-012 Microsoft Windows ASN.1 Library Integer Handling Vulnerability 90103 CAN MS04-007 Microsoft Buffer Overrun in JPEG Processing 90176 CAN MS04-028 Adobe Acrobat Reader Format String Vulnerability 38385 CAN Microsoft Server Message Block Remote Code Execution 90230 CAN MS05-011 Microsoft Internet Explorer Multiple Vulnerabilities 100025 CAN MS05-020 Microsoft Word Vulnerability Could Allow Remote Code Execution 110031 CAN MS05-023

28 Goal: Shortening the Half-Life of Critical Vulnerabilities for Internal systems to 40 days
100% Awareness Prioritization Enforcement 2005 75% 2004 50% 25% 62 days 124 days 186 days 248 days 310 days 372 days

29 Network Access Control Industry Initiatives
Cisco Network Admission Control (NAC) Leveraging Cisco Networking devices to control access Evaluation of devices via agent (CTA) or agent-less Microsoft Network Access Protection (NAP) Client side system health agent Server side system health validator TCG Trusted Network Connect (TNC) Open software architecture for policy based access Cross vendor architecture

30 Cisco NAC Architecture
Hosts Attempting Network Access Network Access Devices Policy Server Decision Points AAA Server (ACS) Vendor Servers 1 2 2a Credentials Credentials Credentials EAP/UDP, EAP/802.1x RADIUS HTTPS Access Rights Comply? Notification 3 4 6 Cisco Trust Agent Enforcement 5 Source: Cisco

31 Microsoft NAP Architecture
Source: Microsoft

32 TCG Trusted Network Connect Architecture
Source: Trusted Computing Group

33 Vernier Networks EdgeWall Architecture
Patch Management, Vulnerability Servers Authentication Service 2) Authentication EdgeWall 4) Integrity data 1) Credentials Control Server 3) Local compliance check 5) User access rights Source: Vernier Networks

34 Network Access Control Challenges
Impact/Interoperability with existing infrastructure Agent-based vs. agent-less approaches Continuous vs. Initial device evaluation Interoperability between different architectures

35 Why Network Access Control is important
Reduced risk of outbreak due to infected endpoints Safe access to networks through VPN access Controlled remediation and patching of unhealthy endpoints Increased security of corporate resources Increased compliance with regulatory requirements

36 Thank You Q&A

Download ppt "Moving Security Enforcement into the Heart of the Network"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Copyright Security-Assessment.com, Qualys Inc, 2005 Moving Security Enforcement into the Heart of the Network Peter Benson CEO Security-Assessment.com.

Copyright Security-Assessment.com, Qualys Inc, 2005 Moving Security Enforcement into the Heart of the Network Peter Benson CEO Security-Assessment.com.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
Firewall Vulnerabilities Presented by Vincent J. Ohm.

Firewall Vulnerabilities Presented by Vincent J. Ohm.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep

Similar presentations

Ads by Google