Presentation is loading. Please wait.

Presentation is loading. Please wait.

Palo Alto Networks security solution - protection against new cyber-criminal threats focused on client-side vulnerabilities Mariusz Stawowski, Ph.D., CISSP.

Published byDamon Jordan Modified over 9 years ago

Similar presentations

Presentation on theme: "Palo Alto Networks security solution - protection against new cyber-criminal threats focused on client-side vulnerabilities Mariusz Stawowski, Ph.D., CISSP."— Presentation transcript:

1 Palo Alto Networks security solution - protection against new cyber-criminal threats focused on client-side vulnerabilities Mariusz Stawowski, Ph.D., CISSP Director of Professional Services, CLICO email: mstawow@clico.pl

2 ISO9001:2001 Agenda Introduction New client-side vulnerabilities used by cyber- criminals Next-Generation Firewall – en effective protection against attacks focused on end users A live demo of Palo Alto Networks security solution - unique features in practice Summary

3 ISO9001:2001 Introduction 90 ties Hackers were showing to the World their knowledge and achievements Nowadays Cyber-criminals’ activities are performed in an invisible way

4 ISO9001:2001 Introduction Source: Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation, the National White Collar Crime Center, and the Bureau of Justice Assistance – http://www.ic3.gov

5 ISO9001:2001 Introduction SANS The Top Cyber Security Risks 2009 Executive Summary Priority One: Client-side software that remains unpatched. Priority Two: Internet-facing web sites that are vulnerable. … Source: SANS Institute - http://www.sans.org/top-cyber-security-risks/

6 ISO9001:2001 Client-side Hacking Source: SANS Institute, „The Top Cyber Security Risks 2009” - http://www.sans.org/top-cyber-security-risks/ Tutorial: Real Life HTTP Client-side Exploitation Example Step 0: Attacker Places Content on Trusted Site Step 1: Client-Side Exploitation Step 2: Establish Reverse Shell Backdoor Using HTTPS...

7 ISO9001:2001 Client-side Hacking Are we vulnerable? Every company can easily conduct the test to verify if their safeguards are able to protect IT systems against common client-side threats.

8 ISO9001:2001 Client-side Vulnerability Assessment Test 1. Control of dangerous applications The test objective is to verify if the Company’s safeguards properly detect and block dangerous applications, i.e.: P2P (file sharing), Tor (free access to Internet services, publishing network services), Web conferencing (desktop sharing). Security assessment should be conducted using real applications, i.e. Skype, smart P2P (e.g. Azureus) and Web session covered by Tor.

9 ISO9001:2001 Test 1. Control of dangerous applications Expected results Client-side Vulnerability Assessment

10 ISO9001:2001 Test 2. Client-side attacks in encrypted tunnels The test objective is to verify if the Company’s safeguards properly detect and block the attacks conducted in encrypted HTTPS traffic. Security assessment can be conducted using the following tools: Web server (e.g. Apache Tomcat) publishing Web page that contains exploits injected by vulnerabilities exploitation tool (e.g. Metasploit), SSL VPN gateway tunneling the attacks in SSL (e.g. SSL-Explorer). Client-side Vulnerability Assessment

11 ISO9001:2001 Test 2. Client-side attacks in encrypted tunnels Expected results Client-side Vulnerability Assessment

12 ISO9001:2001 Test 3. Hijacking user's application sessions The test objective is to verify if the Company’s safeguards properly detect and block unauthorized access to external Web proxy. Security assessment can be conducted using Burp proxy (or other intercepting proxy) in the following way: Web browser on internal user’s workstation should have proxy configured to external IP address where Burp is located. User opens HTTPS session to e-commerce or e-banking system. Intercepting proxy allows the intruders to change selected content of HTTP and HTTPS sessions (e.g. steal money from the user’s bank account, reveal the user’s credit card number and other confidential data). Client-side Vulnerability Assessment

13 ISO9001:2001 Test 3. Hijacking user's application sessions Expected results Client-side Vulnerability Assessment

14 ISO9001:2001 Detailed guidelines in ISSA Journal, November 2009 https://issa.org/Members/Journals-Archive/2009.html#November Client-side Vulnerability Assessment

15 ISO9001:2001 Next Generation Firewall

16 ISO9001:2001 Applications operate dynamically - Port ≠ Application - IP address User Most of Internet applications communicate using HTTP and HTTPS protocols; use dynamically assigned ports and encrypted tunnels. Network firewalls identify Web browsing on port 80 or 443, however in reality there are hundreds of different applications - P2P, IM, Skype, online games, file sharing, email, etc. - Packet data Content (eg. encrypted) ≠ ≠

17 ISO9001:2001 Next Generation Firewall Fundamental security policy principle "Least Privilege" states that the network safeguards should block ALL TRAFFIC that was not explicitly defined by the policy as PERMITTED. "Least Privilege„ principle is main part of IT security standards (ISO 27001, PCI, etc.). Compliance with "Least Privilege" principle requires that the network safeguards must properly identify all network applications regardless of port, protocol, evasive tactic and encryption (like SSL).

18 ISO9001:2001 Next Generation Firewall

19 ISO9001:2001 Effective applications identification and control Firewalls do not recognize most of the applications.  Some applications and servers can be blocked on IPS (signatures) or Web Filtering (URL database).  As many applications (e.g. P2P, Skype, Tor) use encryption they cannot be identified by IPS signatures. There is a need for a firewall that is able to identify applications (not ports only) and its security policy describes allowed applications (and all other are denied). There is a need for a firewall that is able to identify applications (not ports only) and its security policy describes allowed applications (and all other are denied). More then 60% of applications are hidden from network firewalls

20 ISO9001:2001 Palo Alto Networks solution Firewall security policy describes allowed applications Firewall security policy describes allowed applications Profiles activate inspection AV, IPS, WF, etc. as well as bandwidth management (QoS) Profiles activate inspection AV, IPS, WF, etc. as well as bandwidth management (QoS) Effective applications identification and control

21 ISO9001:2001 Security Profiles identify malicious use of allowed applications. Firewall protects against network attacks and malicious code as well as with multi- gigabit throughput detects and filters illegal data transferred by applications (e.g. credit card numbers, specified documents). Data Filtering - stops sensitive information (e.g. SSN, CC#) from traversing trusted boundaries. Data objects defined as regular expressions (regex). File Filtering - identification and filtering of specified files sent by applications. Identification based on MIME type and file header (not extension).

22 ISO9001:2001 Firewall policy accurately defines users’ access to the network services and it's enforced even when the users change location and IP address. Firewall policy accurately defines users’ access to the network services and it's enforced even when the users change location and IP address. Firewall transparently verifies user’s identity (Active Directory, Citrix and TS integration). Firewall transparently verifies user’s identity (Active Directory, Citrix and TS integration). Effective users identification and control

23 ISO9001:2001 Content inspection of encrypted traffic Safeguards (firewall, IPS, etc.) do not analyze encrypted HTTPS traffic, where intruders and malicious code can easily break into internal networks. There is a need for the protections that decrypt non-trusted HTTPS traffic and properly analyze it (IPS, AV, etc.). There is a need for the protections that decrypt non-trusted HTTPS traffic and properly analyze it (IPS, AV, etc.). Encrypted traffic hides important threats

24 ISO9001:2001 Palo Alto Networks solution PAN certificate Server certificate Server SSL content inspection Firewall protects users surfing Internet against dangerous attacks in encrypted communication (i.e. malicious code, exploits for Web browser). PAN decrypts non-trusted HTTPS traffic and properly analyze it (IPS, AV, etc.). Firewall protects users surfing Internet against dangerous attacks in encrypted communication (i.e. malicious code, exploits for Web browser). PAN decrypts non-trusted HTTPS traffic and properly analyze it (IPS, AV, etc.). Content inspection of encrypted SSL traffic – outgoing to Internet and also incoming to company’s servers. PAN maintains internal Certificate Authority for dynamic certificates generation (root CA or subordinate to company’s root CA). For outgoing traffic the policy of HTTPS inspection accurately defines the servers that are not trusted and require control. Identification of non-trusted HTTPS servers is performed using pre- defined Web Filtering categories (e.g. Finanase-and-investment, Shopping) or addresses of known servers. Content inspection of encrypted traffic

25 ISO9001:2001 Visibility into Applications, Users & Content Dedicated graphical tools – the network visibility and control in scope of applications, users and content. Monitoring and reporting in real-time. Detailed analyze of users activities

26 ISO9001:2001 Next Generation Firewall A live demo

27 ISO9001:2001 Palo Alto Networks - technical features

28 ISO9001:2001 PAN-OS Interfaces: - Copper GB - SFP (1 GB) - XFP (10 GB) - 802.3ad Link Aggregation Work modes: - L2 - L3 (OSPF i RIP) - V-wire - Tap High availability: - Active - Passive - Configuration and session synchronization - Status monitoring of devices, links and communication paths Virtualization: - VLAN (in L2 and L3) - Virtual routers - Virtual systems NETWORK FEATURES

29 ISO9001:2001 PAN-OS SECURITY FEATURES Firewall - network and application layers SSL traffic inspection NAT (ports, addresses) Bandwidth management - DiffServ - QoS Security technologies - App-ID, User-ID, Content-ID Content inspection - Anti-Virus - IPS & Anti-Spyware - Web Filtering - Data & File Filtering Transparent users authentication and control IPSec VPN - Route-based VPN (site-to-site) - SSL VPN

30 ISO9001:2001 App-ID: Comprehensive Application Visibility Policy-based control more than 800 applications distributed across five categories and 25 sub-categories Definition of customer applications Balanced mix of business, internet and networking applications and networking protocols ~ 5 - 10 new applications added weekly

31 ISO9001:2001 User-ID: Enterprise Directory Integration Users no longer defined solely by IP address - Leverage existing Active Directory infrastructure Understand users application and threat behavior based on actual AD username, not just IP Manage and enforce policy based on user and/or AD group - also Citrix and MS TS agent Investigate security incidents, generate custom reports

32 ISO9001:2001 Content-ID: Real-Time Content Scanning Detect and block a wide range of threats, limit unauthorized file transfers and control non-work related web surfing - Stream-based, not file-based, for real-time performance  Uniform signature engine scans for broad range of threats in single pass  Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home) - Block transfer of sensitive data and file transfers by type  Looks for CC # and SSN patterns  Looks into file to determine type – not extension based - Web filtering enabled via fully integrated URL database

33 ISO9001:2001 Flexibility of security operations Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes – L3, transparent (L2) and sniffer. Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes – L3, transparent (L2) and sniffer. Cost effectiveness requires the protections virtualization – VLAN interfaces, virtual routes, and virtual systems. Cost effectiveness requires the protections virtualization – VLAN interfaces, virtual routes, and virtual systems. Networks and threats are changing

34 ISO9001:2001 Palo Alto Networks solution L2 – VLAN 10 L2 – VLAN 20 L3 – DMZ L3 – Internet Vwire Many work modes - Tap Mode, Virtual Wire, Layer 2, Layer 3 with dynamic routing protocols. Protections’ work mode adjusted to the requirements – network interfaces in one device can work in different modes. Security virtualization – VLAN interfaces in L2 and L3, virtual routers and virtual systems. Tap – Core Switch Flexibility of security operations

35 ISO9001:2001 Inspection without performance degradation Application inspection of the network traffic performed on many inspection modules (IPS, AV, etc.) makes huge performance degradation. There is a need for the protections that in one inspection module working with multi-gigabit performance can identify and completely analyze an application traffic. There is a need for the protections that in one inspection module working with multi-gigabit performance can identify and completely analyze an application traffic. Application inspection makes performance degradation FW module WF module IPS module AV module

36 ISO9001:2001 Palo Alto Networks solution One module for the network traffic analyze using shared database of universal signatures for content inspection. Purpose-built, hardware architecture: protection tasks performed on dedicated hardware elements, separation of control and traffic processing modules. L2/L3 Networking, HA, Config Management, Reporting App-ID Content-ID Policy Engine Application Protocol Detection and Decryption Application Protocol Decoding Heuristics Application Signatures URL Filtering Threat Prevention Data Filtering User-ID Inspection without performance degradation

37 ISO9001:2001 Viruses Spyware Files Spyware “Phone Home” Vulnerability Exploits Worms(Future) Stream-Based Matching Uniform Signature Format One module for the network traffic analyze using shared database of universal signatures for Intrusion Prevention, Anti-Virus, Anti-Spyware, etc. Inspection without performance degradation

38 ISO9001:2001 Flash Matching HW Engine Uniform signatures matching Multi-Core Security Processor Hardware accelerated SSL, IPSec, decompression Flash Matching Engine RAM Dual-core CPU RAM HDD 10 Gig Network Processor Hardware accelerated QoS, route lookup, MAC lookup and NAT CPU 16. SSLIPSecDe-Comp. CPU 1 CPU 2 Control Plane Data Plane RAM CPU 3 QoS Route, ARP, MAC lookup NAT Purpose-built, hardware architecture: protection tasks performed on dedicated hardware elements (Flash Matching HW, SSL/IPSec Enc. HW, Network Processor), separation of control and traffic processing modules. Inspection without performance degradation

39 ISO9001:2001 Security management CLI and graphical Web console CLI and graphical Web console Central management system - Panorama Central management system - Panorama Role-based administration enables delegation of tasks to appropriate person Role-based administration enables delegation of tasks to appropriate person Local user database and RADIUS Local user database and RADIUS Admin audit Admin audit Syslog, SNMP and Email reporting Syslog, SNMP and Email reporting XML-based API XML-based API

40 ISO9001:2001 Security management Active and candidate configurations Active and candidate configurations Rollback, quick comparison of different configurations Rollback, quick comparison of different configurations >commit

41 ISO9001:2001 Analysis, monitoring and reporting © 2008 Palo Alto Networks. Proprietary and Confidential. Page 41 |

42 ISO9001:2001 Device models Remote Office/ Medium Enterprise Large Enterprise Performance Seria PA-2000 1Gb Seria PA-4000 500Mb 2Gb 10Gb 10Gb z XFPs 250Mb Annual Subscriptions Threats prevention+20% URL filtering +20% Support +16%

43 ISO9001:2001 PA-500 - 250 Mbps firewall throughput - 100 Mbps threat prevention throughput - 50 Mbps IPSec VPN throughput - 250 IPSec VPN tunnels and tunnel interfaces - 7,500 new sessions per second - 64,000 max sessions - (8) 10/100/1000 - (1) 10/100/1000 out of band management interface - (1) 1 RJ-45 console interface

44 ISO9001:2001 PA-2000 Series - 1U rack-mountable chassis - Single non-modular power supply - 80GB hard drive (cold swappable) - Dedicated out-of-band management port - RJ-45 console port, user definable HA port PA-2050 1 Gbps FW 500 Mbps threat prevention 250,000 sessions 16 copper gigabit 4 SFP interfaces PA-2020 500 Mbps FW 200 Mbps threat prevention 125,000 sessions 12 copper gigabit 2 SFP interfaces

45 ISO9001:2001 PA-4000 Series - 2U, 19” rack-mountable chassis - Dual hot swappable AC power supplies - Dedicated out-of-band management port - 2 dedicated HA ports - DB9 console port PA-4050 10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions 16 copper gigabit 8 SFP interfaces PA-4020 2 Gbps FW 2 Gbps threat prevention 500,000 sessions 16 copper gigabit 8 SFP interfaces PA-4060 10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions 4 XFP (10 Gig) I/O 4 SFP (1 Gig) I/O

46 ISO9001:2001 Summery

47 ISO9001:2001 Palo Alto Networks – unique features 1.Identifies applications regardless of port numbers, tunneling and encryption protocols (including P2P and IM). Firewall policy rules explicitly define what applications are permitted. More then 60% of applications are hidden from network firewalls. ISO 27001, A.11.4.1. Policy on use of network services. The users should only be provided with access to the services that they have been specifically authorized to use. Control of applications is an essential requirement of IT security standards (ISO 27001, PCI, etc.) - The Principle of Least Privilege. Control of applications is an essential requirement of IT security standards (ISO 27001, PCI, etc.) - The Principle of Least Privilege. Common firewall, IPS and UTM are not able to fulfill this requirement. Common firewall, IPS and UTM are not able to fulfill this requirement.

48 ISO9001:2001 Palo Alto Networks – unique features 2.Protects the users surfing Internet against dangerous attacks in encrypted communication (e.g. malicious code, exploits for Web browsers). Non-trusted HTTPS traffic is decrypted and properly inspected (IPS, AV, etc.). Common safeguards (network firewall, IPS, etc.) do not analyze encrypted SSL traffic, where intruders and malicious code can easily break into internal networks.

49 ISO9001:2001 Palo Alto Networks – unique features 3.Performs the security tasks on the network interfaces operating in different work modes (L2, L3, Tap, VLAN in L2 and L3). If needed the security device in one time can work in different modes. Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes – L3, transparent (L2) and sniffer. Common network safeguards can work only in one selected mode. L2 – VLAN 10 L2 – VLAN 20 L3 – DMZ Vwire Tap – Core Switch L3 – Internet

50 ISO9001:2001 Palo Alto Networks – unique features 4.Performs accurate application inspection (IPS, AV, etc.) without performance degradation (one inspection path - shared database of universal signatures, purpose- built hardware architecture). Application inspection in common UTM is performed on many inspection modules (IPS, AV, WF, etc.) based on products from different vendors. It makes huge performance degradation. It makes huge performance degradation. FW module WF module IPS module AV module L2/L3 Networking, HA, Config Management, Reporting App-ID Content-ID Policy Engine Application Protocol Detection and Decryption Application Protocol Decoding Heuristics Application Signatures URL Filtering Threat Prevention Data Filtering User-ID

51 ISO9001:2001 Palo Alto Networks – unique features 5.Manages the network bandwidth with QoS polices that are defined per applications, users, IP addresses, interfaces, VPN tunnels and other parameters. 6.Transparently authenticates an identity of users in the network (AD, TS, Citrix integration). Firewall policy accurately defines user access permissions to the applications and enforce it even the users change location and IP address. 7.Provides granular visibility and policy control over applications, users and content.

52 ISO9001:2001 Deployment scenarios Visibility / Monitor Firewall Augmentation Firewall Replacement Connect to span port Provides application visibility without inline deployment Deploy transparently behind existing firewall Provides application visibility & control without networking changes Replace existing firewall Provides application and network-based visibility and control, consolidated policy, high performance

Download ppt "Palo Alto Networks security solution - protection against new cyber-criminal threats focused on client-side vulnerabilities Mariusz Stawowski, Ph.D., CISSP."

Similar presentations

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.

Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
Chapter 12 Network Security.

Chapter 12 Network Security.
Palo Alto Networks Solution Overview May 2010 Denis Pechnov Sales, EMEA.

Palo Alto Networks Solution Overview May 2010 Denis Pechnov Sales, EMEA.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk Founder and CTO.

© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk Founder and CTO.
Palo Alto Networks Customer Presentation

Palo Alto Networks Customer Presentation
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
MIGRATION FROM SCREENOS TO JUNOS based firewall

MIGRATION FROM SCREENOS TO JUNOS based firewall
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google