Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

NextGen-Firewall

advertisement 
Break-1520 - Next Generation
Firewall's
James Oryszczyn
President, TBJ Consulting LLC
My Credential’s
•
•
•
•
CISSP
SANS GIAC Audit and Windows Certified
I have been in the security business for over 15 years
Have implement Firewall’s and security in numerous
education environments
•
I am President of TBJ Consulting LLC
Agenda
•
•
•
•
•
•
•
Discuss problems traditional firewall’s
Discuss modern malware
Discuss URL filtering
Discuss User Authentication
Discuss Threat Prevention
Discuss Logging
Open Discussion, if you have a question ask…
At the End of the Presentation
I will discuss a survey you can take to if
you have a next generation firewall
Tradition Firewall’s
• Only Filter ports, real just a port filter
• Has limited capabilities for user identification,
source/destination IP address only
• Logging is ok to poor. Can see what is dropped/allowed
• No Directory integration
• Traditionally no spyware/anti-virus/malware protection
• NO Intrusion Prevention (IPS) or Detection (IDS)
Tradition Firewall’s Continued
•
•
•
•
•
Usually need a third party URL Filter
Typically, much more difficult to mange
Difficult to apply updates
Does not prevent attacks
Turning on IPS/IDS features kills the firewall
Next Generation Firewall’s
Industry Analysts Recommend a Change
Move to next-generation firewalls at the next refresh
opportunity – whether for firewall, IPS, or the combination of
the two.
-Gartner
…we anticipate a consolidation of firewalls and IPS to create
an even more advanced multifunction security gateway.
-Forrester
Performance
/ Damage
The Early Days
VPN
Connection-Based
Firewall
Hardware Theft
1980s
Physical
1990s
2000s
Today
Lock & Key
Performance
/ Damage
Vendors Followed The Threats
Spyware
Anti-Spyware
Worms
Spam
Banned Content
Antispam
Web Filter
Trojans
Antivirus
Viruses
Intrusions
IPS
Content-Based
VPN
Connection-Based
Firewall
Hardware Theft
Physical
Lock & Key
Result: Multiple Devices, Consoles, Vendors
Problems Created
Stand-alone, nonintegrated security
Created gaps in security
strategy
Mix of off-the-shelf
systems and applications
Difficult to deploy /
manage / use
High cost of ownership
A Better Approach to Threat Prevention
Integrating IPS and threat prevention into the firewall is NOT simply about
convenience…it’s a necessity
True integration of IPS with the NGFW solves problems that traditional
security products can’t
1. Controls threats on non-standard ports
2.
Proactively reduces the attack surface
3.
Controls the methods attackers use to hide
4.
Integrates multiple threat prevention disciplines
5.
Provides visibility and control of unknown threats
Port
20
Port
22
Port
23
Port
80
IM
HTTP
Telnet
SSH
FTP
The Evolution of Next GEN Firewalls
Port
531
• Applications
Became Evasive
– Needed to traverse the
firewall
– Would look for commonly
open ports
• Port 80, 443, 53
– Or look for any
available port
Evasive applications
fundamentally break the
port-based model
• Open high ports
Non-Standard…Is the New Standard
M ostFrequently Detected "Dynam ic" Applications
100%
80%
83%
78%
77%
73%
60%
60%
60%
55%
54%
51%
40%
42%
20%
0%
Sharepoint
iTunes
MS RPC
Skype
BitTorrent MSN Voice
Ooyla
Mediafire
Applications That are Capable of Tunneling
36
Networking (73)
18
18
Collaboration (46)
8
Media (24)
12
6
General-Internet (17)
7
10
Business-Systems (15)
0
25
17
2
12
13
4
41
25
50
Client-server (78)
Browser-based (66)
Network-protocol (19)
Peer-to-peer (12)
75
eMule
Teamviewer
• 67% of the apps use
port 80, port 443, or
hop ports
• 190 of them are
client/server
• 177 can tunnel other
applications, a
feature no longer
reserved for SSL or
SSH
Impact of Port Evasion on Threat Prevention
Telnet
Port
22
Port
23
Port
80
Port
20
Port
22
Port
23
Port
531
IPS
+
Port
80
• IPS solutions are also port-
based
IM
SSH
Port
20
HTTP
FTP
Firewall
Port
531
-
typically only look for exploits
on the “typical” ports
• If the FW can’t control traffic…
-
IPS will miss threat on
unexpected ports or…
-
IPS must run all signatures
on all ports
IM
HTTP
Telnet
SSH
FTP
NGFW Fixes the Firewall…and the IPS
App-ID
Port
20
Port
22
Port
23
Port
80
Port
531
• IPS is enforced consistently
• Evasive applications do not
evade the IPS or the firewall
• Rebuilt the firewall
from the ground up
• Identifies traffic at
application level
– Always on
– Always the 1st action
– On all ports
• Positive control is regained,
regardless of the port the
traffic travels on
• The firewall does what it was
originally designed to do
Control the Attack Surface of the Network
Only allow the
apps you need
» Traffic limited to
» The ever-expanding
universe of applications,
services and threats
approved business
use cases based on
App and User
» Attack surface
reduced by orders of
magnitude
Clean the allowed
traffic of all threats
in a single pass
» Complete threat library with no
blind spots
Bi-directional inspection
Scans inside of SSL
Scans inside compressed
files
Scans inside proxies and
tunnels
• Block Unneeded and
High-Risk Applications
– Block (or limit) peer-to-peer
applications
– Block unneeded applications that
can tunnel other applications
– Review the need for applications
known to be used by malware
– Block anonymizers such as Tor
– Block encrypted tunnel applications
such as UltraSurf
– Limit use to approved proxies
– Limit use of remote desktop
Control the Methods Threats Use to Hide
• Encrypted Traffic
Inspect within SSL
Circumventors and Tunnels
Encryption (e.g.
SSL)
•
Proxies
Common user-driven evasion
•
Remote Desktop
Increasingly popular tool for endusers
• Compressed Content
Proxies (e.g
CGIProxy)
Compression (e.g.
GZIP)
 Outbound C&C Traffic
ZIP files and compressed HTTP
(GZIP)
• Encrypted Tunnels
Hamachi, Ultrasurf, Tor
Purpose-built to avoid security
Unknown Threats: Learn to See Traffic That Doesn’t Belong
• NGFW classifies all known traffic
– Custom App-IDs for internal or custom
developed applications
• Any remaining “unknown” traffic can be
tracked and investigated
– Used in the field to find botnets and
unknown threats
• Behavioral Botnet Report
– Automatically correlates end-user
behavior to find clients that are likely
infected by a bot
– Unknown TCP and UDP, Dynamic DNS,
Repeated file downloads/attempts,
Contact with recently registered domains,
etc
Find specific users that
are potentially
compromised by a bot
10.1.1.101
10.1.1.56
10.0.0.24
192.168.1.5
10.1.1.34
10.1.1.16
192.168.1.4
192.168.124.5
192.168.1.47
10.1.1.277
Jeff.Martin
Directory Integration
• Use Active Directory To Authenticate users
– If part of the Domain, it will be pass-threw
– Will work with Apple devices
– Can restrict users to certain applications
– Can disallow guest from getting to the Internet or
greatly restrict them
– Can easily see users in firewall logs, not just IP addresses
– Allows you to take advantage of existing active directory
groups
– Gives you the ability to become granular in URL filtering
– Can trace threats down to the user
– Can also identify Citrix and Terminal server users
URL Filtering
• URL Filtering on Next Generation Firewall’s
–
–
–
–
–
–
–
–
–
–
–
Integrates with Security Policy, one place to manage your security
Faster than a proxy server, only one appliance to access
Databases update hourly/nightly
Make sure you have the ability to block unknown categories
Do not have to pay extra for spyware/malware categories
Database is updated automatically
Have the ability to also dynamically look up URL’s
Some products URL filtering is cloud based
Millions of URL’s rated
Easy ability to create bypass and override categories
Block Ad’s, they contain malware and junk ware
Fortinet URL Filter
Palo Alto URL Filter
Application Control
• Application Control on Next Generation Firewall’s
–
–
–
–
–
–
Ability to use applications instead of ports for firewall rules
Ability to allow Facebook, but block Facebook chat (Fore Example)
Can control what applications run over port 80
Can block proxy based applications (Good combined with a URL Filter)
Can block file sharing and peer to peer applications
Works very well along with a strong URL filter
Palo Alto Application Control
Fortinet Application Control
Anti-Virus/Malware Spyware
• Anti-Virus/Malware Spyware
–
–
–
–
–
–
Adds another layer of defense at the Gateway
Still need desktop Anti-virus (No, you can not get away from it)
Updates Daily/hourly
Uses a network to analyze the most current treats
Scans all downloads for Anti-virus
Can block certain file types such as .exe, .dll, etc. (This is on of the best
ways to prevent virus..)
– Can scan inside a VPN tunnel
– Integrates with the firewall rulebase
Traditional firewall’s are blind to
Viruses
Fortinet Anti-Virus
Palo Alto Anti-Virus
Threat Prevention
• Threat Prevention
–
–
–
–
–
–
Updates daily with the most current threats
Can help stop zero day and attacks against unpatched systems
Integrates with the Firewall to create a complete solution.
Prevents the attack from reaching the network
Also checks on all ports and applications, unlike a traditional IPS
Have the ability to track a threat to a user, not just an IP address
Traditional firewall’s are unable to
stop Threat’s or the threat
prevention is outdated
Logging and Reporting
• Logging
–
–
–
–
–
Logs contain usernames
Can run threat reports, URL Filtering reports and application reports
Can also run how much bandwidth someone is taking up
Can log what countries are being accessed
Can be a very useful tool for troubleshooting
Traditional firewall’s logging is ok,
but does not provide enough detail
Logs By Application and Bytes
Logs By User
Log what countries have been visited
How can a Next Generation Firewall Help you?
•
•
•
•
•
•
•
•
•
•
•
Provide one product to manage instead of many.
Protect your network’s and Students from attacks and from
themselves
Protect Students from using evasive ways to access websites
Provide Students the applications they need with ease
Use your directory service to authenticate users
Provide various level of access to application and websites.
Teachers can have a higher level of access
Cost savings by consolidating products and cutting down on
bandwidth hogging users.
Reports can be emailed to you daily if needed
Flexible deployment options
Easy to manage and use Web UI
Easy code Upgrade
Survey
If you give me your Business Card I will provide you an
assessment about your current Firewall/Security Environment
Questions?????
Thank You…………
You can contact me at
James@tbjconsulting.com
Related documents
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Hw2 solutions - Network Penetration and Security
Hw2 solutions - Network Penetration and Security
Why we all care: the changing home
Why we all care: the changing home
Establishment of the VPN connection with the
Establishment of the VPN connection with the
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
technical planning - St. Joseph Elementary School Library
technical planning - St. Joseph Elementary School Library
Download
advertisement