Palo Alto Networks security solution - protection against new cyber-criminal threats focused on client-side vulnerabilities Mariusz Stawowski, Ph.D., CISSP Director of Professional Services, CLICO email: mstawow@clico.pl Agenda • Introduction • New client-side vulnerabilities used by cybercriminals • Next-Generation Firewall – en effective protection against attacks focused on end users • A live demo of Palo Alto Networks security solution unique features in practice • Summary ISO9001:2001 Introduction 90 ties • Hackers were showing to the World their knowledge and achievements Nowadays • Cyber-criminals’ activities are performed in an invisible way ISO9001:2001 Introduction Source: Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation, the National White Collar Crime Center, and the Bureau of Justice Assistance – http://www.ic3.gov ISO9001:2001 Introduction SANS The Top Cyber Security Risks 2009 Executive Summary Priority One: Client-side software that remains unpatched. Priority Two: Internet-facing web sites that are vulnerable. … Source: SANS Institute - http://www.sans.org/top-cyber-security-risks/ ISO9001:2001 Client-side Hacking Tutorial: Real Life HTTP Client-side Exploitation Example Step 0: Attacker Places Content on Trusted Site Step 1: Client-Side Exploitation Step 2: Establish Reverse Shell Backdoor Using HTTPS ... Source: SANS Institute, „The Top Cyber Security Risks 2009” - http://www.sans.org/top-cyber-security-risks/ ISO9001:2001 Client-side Hacking Are we vulnerable? Every company can easily conduct the test to verify if their safeguards are able to protect IT systems against common client-side threats. ISO9001:2001 Client-side Vulnerability Assessment Test 1. Control of dangerous applications The test objective is to verify if the Company’s safeguards properly detect and block dangerous applications, i.e.: • P2P (file sharing), • Tor (free access to Internet services, publishing network services), • Web conferencing (desktop sharing). Security assessment should be conducted using real applications, i.e. Skype, smart P2P (e.g. Azureus) and Web session covered by Tor. ISO9001:2001 Client-side Vulnerability Assessment Test 1. Control of dangerous applications Expected results ISO9001:2001 Client-side Vulnerability Assessment Test 2. Client-side attacks in encrypted tunnels <HTML> Encryped exploits and payload <FRAMESET> SSL VPN Backdoor </FRAMESET> ... </HTML> User’s workstation Audit station The test objective is to verify if the Company’s safeguards properly detect and block the attacks conducted in encrypted HTTPS traffic. Security assessment can be conducted using the following tools: • Web server (e.g. Apache Tomcat) publishing Web page that contains exploits injected by vulnerabilities exploitation tool (e.g. Metasploit), • SSL VPN gateway tunneling the attacks in SSL (e.g. SSL-Explorer). ISO9001:2001 Client-side Vulnerability Assessment Test 2. Client-side attacks in encrypted tunnels Expected results ISO9001:2001 Client-side Vulnerability Assessment Test 3. Hijacking user's application sessions Web site Modified Web sessions Original Web sessions User’s workstation intercepting proxy •Intercepting proxy allows the intruders to change selected content of HTTP and HTTPS sessions (e.g. steal money from the user’s bank account, reveal the user’s credit card number and other confidential data). Audit station The test objective is to verify if the Company’s safeguards properly detect and block unauthorized access to external Web proxy. Security assessment can be conducted using Burp proxy (or other intercepting proxy) in the following way: • Web browser on internal user’s workstation should have proxy configured to external IP address where Burp is located. • User opens HTTPS session to e-commerce or e-banking system. ISO9001:2001 Client-side Vulnerability Assessment Test 3. Hijacking user's application sessions Expected results ISO9001:2001 Client-side Vulnerability Assessment Detailed guidelines in ISSA Journal, November 2009 https://issa.org/Members/Journals-Archive/2009.html#November ISO9001:2001 Next Generation Firewall ISO9001:2001 Applications operate dynamically •- ••- •Port•≠ •Application •IP address•≠ • User •Packet data•≠ • Content •(eg. encrypted) ISO9001:2001 • Most of Internet applications communicate using HTTP and HTTPS protocols; use dynamically assigned ports and encrypted tunnels. • Network firewalls identify Web browsing on port 80 or 443, however in reality there are hundreds of different applications - P2P, IM, Skype, online games, file sharing, email, etc. Next Generation Firewall •Fundamental security policy principle "Least Privilege" states that the network safeguards should block ALL TRAFFIC that was not explicitly defined by the policy as PERMITTED. •"Least Privilege„ principle is main part of IT security standards (ISO 27001, PCI, etc.). •Compliance with "Least Privilege" principle requires that the network safeguards must properly identify all network applications regardless of port, protocol, evasive tactic and encryption (like SSL). ISO9001:2001 Next Generation Firewall ISO9001:2001 Effective applications identification and control More then 60% of applications are hidden from network firewalls Firewall Stateful Insp. Intrusion Prev., Web Filtering, etc. • Firewalls do not recognize most of the applications. Some applications and servers can be blocked on IPS (signatures) or Web Filtering (URL database). As many applications (e.g. P2P, Skype, Tor) use encryption they cannot be identified by IPS signatures. • There is a need for a firewall that is able to identify applications (not ports only) and its security policy describes allowed applications (and all other are denied). ISO9001:2001 Effective applications identification and control Palo Alto Networks solution • Firewall security policy describes allowed applications • Profiles activate inspection AV, IPS, WF, etc. as well as bandwidth management (QoS) ISO9001:2001 Effective applications identification and control • Security Profiles identify malicious use of allowed applications. • Firewall protects against network attacks and malicious code as well as with multigigabit throughput detects and filters illegal data transferred by applications (e.g. credit card numbers, specified documents). Data Filtering - stops sensitive information (e.g. SSN, CC#) from traversing trusted boundaries. Data objects defined as regular expressions (regex). File Filtering - identification and filtering of specified files sent by applications. Identification based on MIME type and file header (not extension). ISO9001:2001 Effective users identification and control • Firewall policy accurately defines users’ access to the network services and it's enforced even when the users change location and IP address. • Firewall transparently verifies user’s identity (Active Directory, Citrix and TS integration). ISO9001:2001 Content inspection of encrypted traffic Encrypted traffic hides important threats HTTPS Exploits for Web browser, Spyware, Trojans, Bots, etc. redirect Web browsing Web site in Internet Firewall Stateful Insp. Intrusion Prev., Web Filtering, etc. • Safeguards (firewall, IPS, etc.) do not analyze encrypted HTTPS traffic, where intruders and malicious code can easily break into internal networks. • There is a need for the protections that decrypt non-trusted HTTPS traffic and properly analyze it (IPS, AV, etc.). ISO9001:2001 Content inspection of encrypted traffic Palo Alto Networks solution •SSL content inspection •PAN certificate •Server certificate •Server • Firewall protects users surfing Internet against dangerous attacks in encrypted communication (i.e. malicious code, exploits for Web browser). PAN decrypts non-trusted HTTPS traffic and properly analyze it (IPS, AV, etc.). • Content inspection of encrypted SSL traffic – outgoing to Internet and also incoming to company’s servers. PAN maintains internal Certificate Authority for dynamic certificates generation (root CA or subordinate to company’s root CA). • For outgoing traffic the policy of HTTPS inspection accurately defines the servers that are not trusted and require control. Identification of non-trusted HTTPS servers is performed using predefined Web Filtering categories (e.g. Finanase-and-investment, Shopping) or addresses of known servers. ISO9001:2001 Visibility into Applications, Users & Content • Dedicated graphical tools – the network visibility and control in scope of applications, users and content. • Monitoring and reporting in real-time. Detailed analyze of users activities ISO9001:2001 Next Generation Firewall A live demo ISO9001:2001 Palo Alto Networks - technical features ISO9001:2001 PAN-OS NETWORK FEATURES • Interfaces: Copper GB - SFP (1 GB) - - XFP (10 GB) - 802.3ad Link Aggregation • High availability: - Active - Passive - Configuration and session synchronization - Status monitoring of devices, links and communication paths • Work modes: L2 - L3 (OSPF i RIP) - V-wire - Tap - ISO9001:2001 • Virtualization: - VLAN (in L2 and L3) - Virtual routers - Virtual systems PAN-OS SECURITY FEATURES • Firewall - network and application layers • SSL traffic inspection • NAT (ports, addresses) • Bandwidth management - DiffServ - QoS • Security technologies - App-ID, User-ID, Content-ID ISO9001:2001 • Content inspection - Anti-Virus - IPS & Anti-Spyware - Web Filtering - Data & File Filtering • Transparent users authentication and control • IPSec VPN - Route-based VPN (site-to-site) - SSL VPN App-ID: Comprehensive Application Visibility • Policy-based control more than 800 applications distributed across five categories and 25 sub-categories • Definition of customer applications • Balanced mix of business, internet and networking applications and networking protocols • ~ 5 - 10 new applications added weekly ISO9001:2001 User-ID: Enterprise Directory Integration • Users no longer defined solely by IP address - Leverage existing Active Directory infrastructure • Understand users application and threat behavior based on actual AD username, not just IP • Manage and enforce policy based on user and/or AD group - also Citrix and MS TS agent • Investigate security incidents, generate custom reports ISO9001:2001 Content-ID: Real-Time Content Scanning • Detect and block a wide range of threats, limit unauthorized file transfers and control non-work related web surfing - - - Stream-based, not file-based, for real-time performance Uniform signature engine scans for broad range of threats in single pass Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home) Block transfer of sensitive data and file transfers by type Looks for CC # and SSN patterns Looks into file to determine type – not extension based Web filtering enabled via fully integrated URL database ISO9001:2001 Flexibility of security operations Networks and threats are changing WAN Zone DB Zone DMZ WAN Internal Zones File server Email server Web, DNS server SQL servers Intranet server Untrust Zone VLAN Trunk Internet ` L3 - router ` sniffer L2 - transparent User workstations • Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes – L3, transparent (L2) and sniffer. • Cost effectiveness requires the protections virtualization – VLAN interfaces, virtual routes, and virtual systems. ISO9001:2001 Flexibility of security operations Palo Alto Networks solution •L2 – VLAN 20 •L2 – VLAN 10 •Vwire •L3 – DMZ •L3 – Internet •Tap – Core Switch • Many work modes - Tap Mode, Virtual Wire, Layer 2, Layer 3 with dynamic routing protocols. • Protections’ work mode adjusted to the requirements – network interfaces in one device can work in different modes. • Security virtualization – VLAN interfaces in L2 and L3, virtual routers and virtual systems. ISO9001:2001 Inspection without performance degradation Application inspection makes performance degradation •IPS module •AV module •WF module •FW module • Application inspection of the network traffic performed on many inspection modules (IPS, AV, etc.) makes huge performance degradation. • There is a need for the protections that in one inspection module working with multi-gigabit performance can identify and completely analyze an application traffic. ISO9001:2001 Inspection without performance degradation Palo Alto Networks solution • • One module for the network traffic analyze using shared database of universal signatures for content inspection. Purpose-built, hardware architecture: • protection tasks performed on dedicated hardware elements, • separation of control and traffic processing modules. Policy Engine Data Filtering Content-ID URL Filtering Threat Prevention Application Protocol Decoding App-ID Application Protocol Detection and Decryption Application Signatures Heuristics User-ID L2/L3 Networking, HA, Config Management, Reporting ISO9001:2001 Inspection without performance degradation • One module for the network traffic analyze using shared database of universal signatures for Intrusion Prevention, Anti-Virus, Anti-Spyware, etc. Viruses Spyware Files Spyware “Phone Home” Worms Uniform Signature Format Stream-Based Matching ISO9001:2001 Vulnerability Exploits (Future) Inspection without performance degradation • Purpose-built, hardware architecture: • protection tasks performed on dedicated hardware elements (Flash Matching HW, SSL/IPSec Enc. HW, Network Processor), • separation of control and traffic processing modules. RAM Flash Matching Engine Control Plane RAM Dual-core CPU CPU CPU 1 2 SSL . IPSec QoS ISO9001:2001 CPU . 3 Route, ARP, MAC lookup Data Plane RAM RAM RAM HDD RAM CPU 16 RAM RAM De-Comp. NAT Flash Matching HW Engine • Uniform signatures matching Multi-Core Security Processor • Hardware accelerated SSL, IPSec, decompression 10 Gig Network Processor • Hardware accelerated QoS, route lookup, MAC lookup and NAT Security management • CLI and graphical Web console • Central management system - Panorama • Role-based administration enables delegation of tasks to appropriate person • Local user database and RADIUS • Admin audit • Syslog, SNMP and Email reporting • XML-based API ISO9001:2001 Security management •>commit • Active and candidate configurations • Rollback, quick comparison of different configurations ISO9001:2001 Analysis, monitoring and reporting Page 41 | ISO9001:2001 © 2008 Palo Alto Networks. Proprietary and Confidential. Device models Annual Subscriptions 10Gb z XFPs • Threats prevention +20% • URL filtering +20% • Support +16% Performance •Seria PA-2000 10Gb 2Gb •Seria PA-4000 •1Gb •500Mb •250Mb Remote Office/ Medium Enterprise ISO9001:2001 Large Enterprise PA-500 - 250 Mbps firewall throughput - 100 Mbps threat prevention throughput - 50 Mbps IPSec VPN throughput - 250 IPSec VPN tunnels and tunnel interfaces - 7,500 new sessions per second - 64,000 max sessions - (8) 10/100/1000 - (1) 10/100/1000 out of band management interface - (1) 1 RJ-45 console interface ISO9001:2001 PA-2000 Series PA-2050 PA-2020 • • • • • 1 Gbps FW 500 Mbps threat prevention 250,000 sessions 16 copper gigabit 4 SFP interfaces • • • • • - 1U rack-mountable chassis - Single non-modular power supply - 80GB hard drive (cold swappable) - Dedicated out-of-band management port - RJ-45 console port, user definable HA port ISO9001:2001 500 Mbps FW 200 Mbps threat prevention 125,000 sessions 12 copper gigabit 2 SFP interfaces PA-4000 Series PA-4060 PA-4050 PA-4020 • 10 Gbps FW • 5 Gbps threat prevention • 2,000,000 sessions • 4 XFP (10 Gig) I/O • 4 SFP (1 Gig) I/O • 10 Gbps FW • 5 Gbps threat prevention • 2,000,000 sessions • 16 copper gigabit • 8 SFP interfaces • 2 Gbps FW • 2 Gbps threat prevention • 500,000 sessions • 16 copper gigabit • 8 SFP interfaces - 2U, 19” rack-mountable chassis - Dual hot swappable AC power supplies - Dedicated out-of-band management port - 2 dedicated HA ports - DB9 console port ISO9001:2001 Summery ISO9001:2001 Palo Alto Networks – unique features 1. Identifies applications regardless of port numbers, tunneling and encryption protocols (including P2P and IM). Firewall policy rules explicitly define what applications are permitted. More then 60% of applications are hidden from network firewalls. •Control of applications is an essential requirement of IT security standards (ISO 27001, PCI, etc.) - The Principle of Least Privilege. •Common firewall, IPS and UTM are not able to fulfill this requirement. ISO9001:2001 ISO 27001, A.11.4.1. Policy on use of network services. The users should only be provided with access to the ser vices that they have been specifically authorized to use. Palo Alto Networks – unique features 2. Protects the users surfing Internet against dangerous attacks in encrypted communication (e.g. malicious code, exploits for Web browsers). Non-trusted HTTPS traffic is decrypted and properly inspected (IPS, AV, etc.). Common safeguards (network firewall, IPS, etc.) do not analyze encrypted SSL traffic, where intruders and malicious code can easily break into internal networks. HTTPS Exploits for Web browser, Spyware, Trojans, Bots, etc. redirect Web browsing Web site in Internet ISO9001:2001 Firewall Stateful Insp. Intrusion Prev., Web Filtering, etc. Palo Alto Networks – unique features 3. Performs the security tasks on the network interfaces operating in different work modes (L2, L3, Tap, VLAN in L2 and L3). If needed the security device in one time can work in different modes. Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes – L3, transparent (L2) and sniffer. Common network safeguards can work only in one selected mode. •L2 – VLAN 20 •L2 – VLAN 10 •Vwire •L3 – DMZ •L3 – Internet •Tap – Core Switch ISO9001:2001 Palo Alto Networks – unique features Policy Engine 4. Performs accurate application inspection (IPS, AV, etc.) without performance degradation (one inspection path - shared database of universal signatures, purposebuilt hardware architecture). Content-ID Data Filtering URL Filtering Threat Prevention App-ID Application Protocol Application Decoding Protocol Detection and Application Decryption Signatures Heuristics User-ID L2/L3 Networking, HA, Config Management, Reporting Application inspection in common UTM is performed on many inspection modules (IPS, AV, WF, etc.) based on products from different vendors. •It makes huge performance degradation. •IPS module •WF module •FW module ISO9001:2001 •AV module Palo Alto Networks – unique features 5. Manages the network bandwidth with QoS polices that are defined per applications, users, IP addresses, interfaces, VPN tunnels and other parameters. 6. Transparently authenticates an identity of users in the network (AD, TS, Citrix integration). Firewall policy accurately defines user access permissions to the applications and enforce it even the users change location and IP address. 7. Provides granular visibility and policy control over applications, users and content. ISO9001:2001 Deployment scenarios Visibility / Monitor • Connect to span port • Provides application visibility without inline deployment ISO9001:2001 Firewall Augmentation • Deploy transparently behind existing firewall • Provides application visibility & control without networking changes Firewall Replacement • Replace existing firewall • Provides application and network-based visibility and control, consolidated policy, high performance