View
218
Download
4
Category
Preview:
Citation preview
“There is nothing more important than our customers”
Jak zabezpečit sítě proti útokům zevnitř a přitom maximálně využít stávající infrastrukturu
Michal ZlesákMichal ZlesákArea Sales ManagerArea Sales Manager - - Eastern EMEAEastern EMEA
michal.zlesakmichal.zlesak@enterasys.com@enterasys.com
© 2006 Enterasys Networks, Inc. All rights reserved.
Securing the Network starts with the Questions to Ask…• Do you have a corporate IT security policy?
• How do you enforce your security policy?
• Can you identify a security breach occurring within the corporate infrastructure?
• How long does it take to identify an internal security breach?
• How long does it take to patch your entire environment on the discovery of a security breach?
• Do you have mobile users that connect to the corporate infrastructure, but also connect to the Internet through non-trusted and possibly non-secure locations (home, coffee shop, etc.)?
• Can your IT organization remove or quarantine anything on the network in a moment’s notice?
• What would a complete system meltdown cost your organization?
© 2006 Enterasys Networks, Inc. All rights reserved.
The Capabilities of Secure Networks™
Access Controlof users and devices on the network
Establish and Enforce Policy for users and devices to protect the enterprise
Detect & Locate security intrusions and anomalous behavior
Centralized Command
and Control
Security Enabled Infrastructuredistribution
core
data
cen
ter
wireless
edge
Advanced Security
ApplicationProactive Preventionof attacks & compromises—everywhere, all the time
Respond & Remediate identified security breaches
© 2006 Enterasys Networks, Inc. All rights reserved.
Secure Networks – Visibility & AwarenessSecure Networks – Visibility & Awareness
1. Detect & Assess End Device
DMZ
DATA CENTER
DISTRIBUTION & CORE
ACCESS
VLAN
User/Device
Finance Voice VLAN
Sales Ops
Internet
1
Port 1
© 2006 Enterasys Networks, Inc. All rights reserved.
Assessing Security Posture of connecting device
1. Device Detection
Identify when a device attempts to connect to the network
2. Device Assessment
Determine if the device complies with corporate security requirements
› “Device Health” e.g. OS patch revision levels, antivirus signatures definition
› Other security compliance requirements e.g. physical location, time of day
3. Device / User Authentication
Verify the identity of the user or device connected to the network
Identify location of end device.
Detect and Assess End DeviceDetect and Assess End Device1
© 2006 Enterasys Networks, Inc. All rights reserved.
Secure Networks – Visibility & AwarenessSecure Networks – Visibility & Awareness
1. Detect & Assess End Device
2. Monitor network and application flow behavior
DMZ
DATA CENTER
DISTRIBUTION & CORE
ACCESS
VLAN
User/Device
Finance Voice VLAN
Sales Ops
Internet
1
Port 1
2
© 2006 Enterasys Networks, Inc. All rights reserved.
Granular Control of Network TrafficGranular Control of Network Traffic
Distribution Layer
Access Layer
• Leveraging the full capabilities of policy architecture
Central policy configuration and distribution
Distributed policy enforcement points at the infrastructure access and distribution layer
Per user / per device controls at the aggregation of non-policy enabled access layer
Flow-based threat isolation and mitigation
Core
Policy Administration
Policy Enforcement• User/Device Access Control• Protocol Filtering• Undesirable Traffic Filtering• Application QoS• Per User Quarantine
2
Rate limiting – Prioritizing - Limiting
resources
© 2006 Enterasys Networks, Inc. All rights reserved.
Monitor Network and Application Flow BehaviorMonitor Network and Application Flow Behavior
• Security Information & Event Management
Traditional Network Performance Optimization
Monitor network bandwidth behaviors
Detailed application level flow collection with packet data
All flows captured
› QFlow, NETFLOW, sflow, cflowd, Jflow
2
© 2006 Enterasys Networks, Inc. All rights reserved.
Secure Networks – Visibility & AwarenessSecure Networks – Visibility & Awareness
1. Detect & Assess End Device
2. Monitor network and application flow behavior
3. Monitor for threats in the infrastructure
DMZ
DATA CENTER
DISTRIBUTION & CORE
ACCESS
VLAN
User/Device
Finance Voice VLAN
Sales Ops
Internet
3
Port 1
3
3
2
© 2006 Enterasys Networks, Inc. All rights reserved.
Threat & Compliance MethodsThreat & Compliance Methods
Signature Based Pattern Matching
› IDS/IPS looks for known patterns of malicious activity
› robust threat signature libraries
Behavioral Anomaly Detection
› “suspicious or out of the ordinary” events
Protocol Decoding
› IDS/IPS monitors for protocol anomalies and violations
All common, Including VoIP protocols
Layer 1
Layer 2
Layer 3
Layer 4 (UDP/TCP/
ICMP)
IP Session Analysis
Application Anomaly Analysis
Signature Analysis
•Frame Capture
•Frame Filtering•Basic security checks
•IP Options Logging•IP Protocol Logging•Header Verification and Analysis•IDS Evasion Checking•IP Fragment Reassembly & Event Logging•IP Address Checks•IP Header Values Retrieved/Checked/Stored
•TCP•Analyze and Store header variables•TCP Checksum verification•TCP options verification and logging•TCP flags verification and logging
•UDP•Analyze and Store header variables
•ICMP• ICMP Logging•Backdoor Checks
•Data Collection for out of band processing•Stream Reassembly•Port Scan and Sweep Detection
•Pattern Matching in the IP Headers of IP TCP/UDP/ICMP
•Protocol Decoding Analysis•Specific application security event analysis•Generic Denial of Service testing
•Complex Signature analysis•Case sensitive/insensitive searching with support for wildcarding of and character types
3
© 2006 Enterasys Networks, Inc. All rights reserved.
Day Zero Attacks
Forensics
Protocol Analysis & Anomaly
•NIDS, HIDS•IPS
Anomaly Detection
•NetFlow•J-Flow•SFlow•cFlowd•QFlow•Packeteer Flow Data Record
Behavior Based Monitoring
Pattern Matching•NIDS, HIDS
•IPS
Signature Based Monitoring
Forensics Day Zero Attacks
CORRELATIONCOMPLIANCE POLICY
, FLOW
Monitor for Threats in InfrastructureMonitor for Threats in Infrastructure3
© 2006 Enterasys Networks, Inc. All rights reserved.
Behavioral Flow Context Analysis Behavioral Flow Context Analysis
• Detailed Network Performance information
Applications, Latency, Traffic flows
• Detailed view of attack before, during, and after the incident from a network flow perspective.
Example:
› Backdoor SIM detects backdoor event Tells classification engine to monitor
- Attacker is <SRC>- Target is <DST>- Port is new- And found after <event time>- And Flow is <bi-directional>
• Offenses are annotated with evidence
Flow Context analysis has detected that attack successfully installed backdoor on target
• Flows Tagged and Correlated to Offenses
3
© 2006 Enterasys Networks, Inc. All rights reserved.
Secure Networks – Visibility & AwarenessSecure Networks – Visibility & Awareness
1. Detect & Assess End Device
2. Monitor network and application flow behavior
3. Monitor for threats in the infrastructure
4. Manage Security Information
DMZ
DATA CENTER
DISTRIBUTION & CORE
ACCESS
VLAN
User/Device
Finance Voice VLAN
Sales Ops
Internet
3
Port 1
3
3
4
© 2006 Enterasys Networks, Inc. All rights reserved.
Manage Security InformationManage Security Information
Security Information & Event Manager (SIEM)
Provides a shared view of the infrastructure
Extensive 3rd party Device Support
Correlates seemingly disparate network and security events
Links network behavior with security posture for compliance
Satisfies IT’s convergence objective
4
© 2006 Enterasys Networks, Inc. All rights reserved.
Reporting – For Operations & Compliance
• The value of reporting is that it enhances your businesses compliance posture
• Executive Level Reports High Level Enterprise wide or
departmental Summary Reports
• Operational Reports Detailed Enterprise wide or departmental
reports
• Wizard Driven Easy to use
Build, edit, schedule and distribute reports Variety of Outputs and Graph Types
XML, HTML, PDF, CSV
Bar, Delta, baselines, Pie, Line, Stacked Bar…….
Manage Security InformationManage Security Information4
© 2006 Enterasys Networks, Inc. All rights reserved.
Network Defense SystemNetwork Defense System
HostIDS/IPS
NetworkIDS/IPS
NetworkBehavioral Anomaly Detection
Events from 3rd Party Firewall, VoIP Gateway, IDS/IPS, SIM, Vulnerability Assessment, Syslog, Application, Database, etc.
J-Flow
S-Flow
Netflow
Threatening subnet range, blacknet IP addresses, spyware sites, etc.
Surveillance and
Front Line Prevention
Analytics
ResponseOperations Center
Dashboard
(Human Response)
Automated Security Manager
(Automated Response)
(SIEM - Security Information & Event Manager)
Automated Security Reports
Security Event Data
External Threat Data Flow Data
Policies Applied to Network Equipment
EFPEFPEFPEFP
EFPEFPSEGSEG
SEGSEG
© 2006 Enterasys Networks, Inc. All rights reserved.
Secure Networks – The Power of Visibility Secure Networks – The Power of Visibility and Controland Control
1. User Assessed and Authenticated through NAC
2. User attempts directed attack at critical server
3. IDS/IPS detects and drops lethal packets
4. IDS/ IPS forwards detected event to ASM
5. ASM Locates threat
6. ASM turns off access to port
7. NAC blacklists User from authenticating
DMZ
DATA CENTER
DISTRIBUTION & CORE
ACCESS
VLAN
PORT
VLAN 1 Phone VLAN
VLAN 2
Internet
Port 1
1
2
3
4
5
6
7
“There is nothing more important than our customers”
Thank You
Recommended