AhnLab TrusGuard Standard Proposal Eng

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

AhnLab TrusGuard Standard Proposal

“The Best of Network Security solutions, AhnLab TrusGuard”

July, 2010



Table of Contents

Recent Trend in Security Threats

Product Overview

Special Advantages of AhnLab TrusGuard

Customer Benefits

Detailed Functions

Specifications

Main UI View

Implementation Case

Appendix.

Network Security Trend



Recent Trend in Security Threats



The latest trend in anti-virus protection can be described as “Diversification, Complexity,

Systemization.”

Pro

fes

sio

na

l,

Org

an

ize

d C

rim

eS

cri

pt

Kid

Pure curiosity Profit gainAttack

motivation

The Hack

The Virus

The Bot• Malware (Virus, Worm, Trojan, Bot) is still a big threat.

• Complexity of SPAM + Trojan + Phishing + Pharming

• Spread of DDoS & attack on web applications

• Limitation in patch management

• Change of target from unspecified general public to a

specified target

• Emergence of profit-motivated cyber crimes

Att

ac

ke

r

Recent Trend in Security Threats: Overview

Injection,XS

S



Following 2008, Trojan horses that steal internal and account information are still prevailing andthe infection by worms, usually spreading malicious attacks on internal networks and the emergence of new worms are increasingly reported.

• Trojan horses for stealing internal & account information still take up a large part in threats to enterprises

(39%)

[Infection by Malware Types, 2009] [Infection by New Malware Types, 2009]

Recent Trend in Malware

• Reports on infection by “spreading worms”, which severely hinder the availability of internal network and

systems and their new variants is increasing

- Infection by worms through USB mobile storage devices is still happening

Source: AhnLab ASEC Report (Dec., 2009)

트로이잔

바이러스

애드웨어

웜

Script

Dropper

기타

Trojans

39%

Virus

12%

Adware

12%

Worm

10%

Script

7%

Dropper

5%

Others

15% 트로이잔

애드웨어

다운로더

웜

Script

기타

Source : AhnLab ASEC Report (Dec., 2009)

Trojans

55%

Adware

27%

Downloader

7%

Worm 5%

Script 2%

- Together with the popularization of the wireless LAN, infection by worms through unauthorized PCs connecting to the internal

network is increasing

Trojan

Virus

Adware

Worm

Others

Trojan

Adware

Downloader

Worm

Others



The major threat in recent network-based attack trend is DDoS.

Trend during a DDoS Attack (1)

[Incoming threat types to network in Korea, as of Nov., 2009]

[Monthly trend of infection by malicious Bots, in Korea

○ The analysis of incoming threat types to ISP network revealed…

- UDP Flooding, a variety of DDoS attack, was the major threat.

- The most common DDoS attack, TCP SYN Flooding, is occurring

consistently.

○ Bot is a malicious code that produces large numbers of zombie

PCs used for DDoS attacks.

○ When the number of Bot-infected PCs increases, the threat by a

DDoS attack also increases.

○ The infection rate by Bot in Korea has decreased greatly from

2008.

(Average 10% in 2008 Average 1% in 2009)

Percentage of infected PCs in Korea among

worldwide PCs infected by Bot

Source : KISA monthly bulletin of Internet incident trend & analysis

(July)

Source : KISA monthly bulletin of Internet incident trend & analysis

(Nov., 2009)

UDP Flooding

TCP SYN

Flooding

ISPs: Threat trend



DDoS Attack Trends (2)

DDoS attacks have shifted from attacks that drain bandwidth to attacks that drain system resources and target application weaknesses.

Early to mid 2000s 2006 ~ 2007 2008 ~

Network resource

Draining attacks

TCP/Application

weakness attacks

Complex / Intelligent

attacks

• Flooding attacks

- ICMP Flood attack

- UDP Flood attack

• Amplification attacks

- Smurf attack

- Fraggle attack

• TCP 3-hands-shaking attacks

targeting weaknesses

- SYN Flooding attack

- ACK Flooding attack

- SYN+ACK Flooding attack

1st stage DDoS 2nd stage DDoS 3rd stage DDoS

Network draining attacks

Traffic inducing attacks

Simple attacks

7

• Flooding attacks + Weakness

attacks

. HTTP Get Flooding

. ICMP Flooding

. TCP SYN Flooding

. UDP Flooding

Complicated & Intelligent Attack

All citizens, organizing, and political

purposes, financial gain

Automatically



DDoS attacks are targeting every type of business regardless of size.

Any company that uses the internet to provide services is vulnerable to DDoS attacks.

DDoS Attack Trends (3)

DD

oS

att

ack

s

Increase in money-stealing

DDoS attacks

DDoS attacks from viruses

IRC Bot DDoS attacks

Mirae Asset

Rapid

increase in

DDoS attacks

Amazon, eBay,

Yahoo DDoS

attacks

Early

DDoS

attacks

2000 2006 2008 2010

○ 2009.7 : 7.7 DDoS Crisis

○ 2008.8 : Game rating board‟s homepage shut down for 9 hours

○ 2008. 6 : Grand National Party‟s homepage shut down due to

DDoS attack

○ 2008. 3 : Mirae Asset‟s homepage shut down for 1 hour,

money demanded

○ 2007.9~10 : Game item trading site was attacked and money

demanded

○ 2007. 6~8 : Money demanded from travel and pension

reservation sites, etc.

○ 2007.5 : Estonian government and parliament sites paralyzed

for 3 weeks

○ 2007.1 : DDoS attack on domain registration proxy company

[Recent Attacks]

[Attack Method]

○ Omnidirectional attacks using various protocols such as

TCP/ UDP/ ICMP/ HTTP

○ Flooding attacks using malicious IRC Bots are the

mainstream

○ Attacks send from 500M ~ 1G (small attack) to 40~50G

(large attack) of traffic to shut down systems or paralyze

service

Various companies in the financial industry, public sector,

small online service companies, etc, are exposed to the

threat of DDoS attacks.

8



Threats that exploit vulnerabilities in web applications

The most prevalent threat types in web application attacks are XSS (Cross-site Scripting) and SQL injection. They exploit vulnerabilities to leak private information, steal account privileges and alter/destroy data.

SQL Injection

XSS

Buffer error

접근제어

입력검증오류

자원관리오류

디렉토리 검색

정보유출

기타

18.3%

13.7%

Others

SQL Injection

XSS

[Major threat types exploiting web

vulnerabilities, 2008]

○ SQL injection, XSS (Cross-site Scripting) and

buffer error ranked 1, 2 and 3 in major web

vulnerability threat types in 2008.

Source : KISA monthly bulletin of Internet incident trend &

analysis (Dec., 2008)

9.8%

Buffer error

○ The SQL injection attack increased rapidly due

to the wide distribution of an automatic mass-

SQL injection tool like „Jeopard in a hole.‟

○ SQL injection attack type is changing…

- from stealing data inside the DB

- to infecting/spreading the malicious code on

connected users by deploying the malicious

code inside the DB.

Access control

Input authentication error

Asset management error

Directory search

Information leakage

Others



Diversified Attack Routes (1)

File downloadWireless

Vulnerabilities in OS and

commercial programs

Client‟s system

Mobile storage

devices

P2P programs

E-mail

Instant messaging

programs

Internet surfing

As various IT devices and applications emerge rapidly due to advancement of Internet business, the client‟s system is becoming overexposed to numerous attack routes.

http://images.google.co.kr/imgres?imgurl=http://www.kenneyjacob.com/wp-content/uploads/2007/10/p2p.gif&imgrefurl=http://www.kenneyjacob.com/2007/10/26/p2p-also-part-of-web-20/&usg=__oVcQUs5HHTOB8_iyLlG_4XbbfCQ=&h=434&w=867&sz=27&hl=ko&start=33&um=1&tbnid=nnAIMPKex6iidM:&tbnh=73&tbnw=145&prev=/images?q=P2P&ndsp=21&complete=1&hl=ko&lr=&sa=N&start=21&um=1&newwindow=1



Diversified Attack Routes (2)

Among the attack routes of viruses and worms in Korean companies with 5 or more employees, “infection

through downloading from Internet” ranked highest with a rate of 85.0%.

By industry, manufacturing (89.1%), wholesale (87.7%) and construction (87.6%) showed relatively higher rate of

“infection through downloading from Internet” and even in banking and insurance, the rate was 80.8%.

85.0%

54.5%

50.8%

42.4%

34.1%

17.5%

2.4%

Download from Internet

By visiting certain websites

E-mail

Shared folder, internal networks

Storage devices (CD, USB, etc.)

By external hacking

OthersSource : Survey on information security in enterprises, 2008

Indeed, downloading of spreading worms and zombie malware during web surfing is rapidly increasing.



Network Security Trend



Performance & Scalability, All at Once!!

Single-core

based hardware

Network

Processor

/ ASIC

Multi-core

based hardware

• Pentium or Xeon base

• Low-end H/W platform

• Limited performance

• Specialized chipset base

• Exclusive packet-handling

processor

• High-performance packet

handling & delivery

• Difficult to add functions

- Customization not allowed.

- Difficulty in time-to-market

• Multi-core process base

• High-end H/W platform

• Linear performance

enhancement when an

additional core is added.

• Easy to add functions &

excellent at combating fast-

changing security threats.

Technology in network security appliance is progressing toward the multi-core based, high-

performance platform.



From Single-Purpose to Integrated Multi-Purpose…

Practical

integration

Combined

functions

Single-

purpose

~ Mid. 2000s Mid. 2000s ~

Current

2010 ~

• Firewall only, VPN only

approach

• Low-end H/W environment

- Limited performance

• Integrated Security

- Combination of functions

• Firewall+VPN+IPS+AV+AS

• High-end H/W

- Overcoming performance

limitation of multi-functions

• Lack of elaborate functions

• Green IT in Security

• Overcoming performance

limitations

- Advance of multi-core H/W

- 16 Cores 32 Cores or more

- Continuous expansion of

performance

• Elaborate functions enabled.

With rapid advance in H/W technology and a tendency toward Green IT, “integration of practical

security functions” is the new direction in network security appliance.

- Integration of Firewall & IPS



Product Overview



Product Overview

AhnLab TrusGuard is an “Integrated Network Security System” that combines “Firewall/VPN-based, high-performance network security” with strong “Security Threat Response Technology.”

Internet

Firewall/ Networking

Network

security

functions

Contents

security

functions

VPN DDoS defense

I(D)PSAnti-Virus Anti-Spam/ Web Filtering

- Stateful inspection filtering

- Route/Transparent mode

- Dynamic routing/ QoS function

- IPv6 support (as of 5.2010.)

- SSL VPN function

- IPSec VPN function

(G-to-G, G-to-C VPN)

- Equipped with an exclusive engine

for DDoS defense

- 6-phase response

-Protection against attacks of various

types

(Flooding, Draining of application)

- Signature-based detection & prevention

of attacks

- Behavior-based detection & prevention of

attacks

- More than 6 thousand rules for detecting

attacks

- 3-phase mechanism for preventing

attacks

- NAC function (synched with end-point V3)

-Prevention of intrusion by virus,

worm, spyware, phishing, etc.

-Supports HTTP/SMTP/POP3/FTP

-Equipped with V3 engine.

-365*24 ASEC service/ CDN

- Black list-based spam

filtering

- Spam engine-based filtering

- Keyword-based filtering

- Spam quarantine & storing

- Access filtering of harmful

sites

- Log analysis & real-time display

- Correlation analysis of threat data

-50 types of security analysis reports

- Integrated policy management of

many appliances

Integrated management



Special Advantages of

AhnLab TrusGuard



TrusGuard Features: Overview

AhnLab TrusGuard distinguishes itself by creating synergies that combine an organic combination of “high-performance, high-quality network security technology” with “proactive, comprehensive integrated security technology.”

Network

Security

Integrated

Security

Manage

High Performance & Flexibility

• High-performance platform & optimized design for multi-core

• Intuitive & graphical information display

• Embedded, real-time monitoring information

Proactive & Comprehensive

Simple & Graphical

• Security response to „zero-day &

emergent‟ attacks

• Specialized DDoS engine (overseas

patent-pending)

• V3-synched NAC function

• External log server/ manager

• Competitive IPS function

• Powerful anti-virus/ anti-spam

• Flexible network security (IPv4 & IPv6)

• Flexible VPN with enhanced security

• High-quality firewall technology

• Prevents zombie malicious codes by

linking with ACCESS.

• No.1 security response technology

• Largest security response infra.

* ACCESS (AhnLab Cloud Computing E-Security System)

- A centralized, real-time threat monitoring & analysis system based on cloud-computing technology



TrusGuard Features – High-Quality Firewall

TrusGuard is based on elaborate and reliable high-quality firewall technology.

The design of TrusGuard is based on “Suhoshin Absolute”, the best firewall solution in Korea.

“Suhoshin Absolute” was the first commercial firewall in Korea and it has proven its technical reliability

and performance in the market by acquiring more than 3,000 client references during the last 10 years.

High Availability• Fail-over function (Active-Active, Active-Standby)

• Can back-up without a separate L4 switch (Session/ Rule synch)

• Full-mesh structure

Port Aggregation

• Uses 2 or more physical ports as a single logical port.

• Can process the traffic equal to Bandwidth * No. of port(s).

• Handles the large traffic easily and provides fail-over function

among ports.

Quality of Service

• Can set/limit maximum traffic volume when setting security

policy.

• QoS setting can be established by policies/IPs/ports.

• Supports policy-based & schedule-based QoS.

Routing• Static/Dynamic routing (RIP, RIPv2, OSPF)

• Supports multicasting / source routing.

VoIP support • Supports SIP, H.323 communication.

Authentication • Internal OTP, External RADIUS synch

Others• Supports 802.1Q VLAN.

• Supports DHCP server & DHCP relay.

NAT• Static (1:1)/ Dynamic NAT (1:N, M:N), Twice NAT

• Excluded NAT, NAT Traversal, Load-Sharing NAT

Server farm

Internet

HA setting

Active-Active

Active-Standby

Stateful

Inspection

• Provides independent performance regardless of number of rules.

• Based on black list/ white list.



TrusGuard Features – High-Performance

Core 1

Core 2

Core 3

Core 4

AhnLab

TrusGuard

○ Optimal distribution technology of packets to

multi-core applied.

○ When running a single function, the multi-core

utilization provides the “maximum performance.”

Firewall

VPN

IPS/

DDoS

Anti-

Virus

Anti-

Spam

○ Multi-core platform in all models (TrusGuard 50

excluded.)

○ When running multiple functions, the multi-

core utilization provides the “optimal

performance.”

ClassificationFirewall

only

Simultaneous running of firewall & IPS

(Signature 6,000 on)Test condition

Throughput (1024 byte) 6G 2G • Performance value of TrusGuard 1000 model with 6 ports

※ Throughput Test Result

* Performance test condition

- Used IXIA test equipment. - Used GET Request 10K, 1G * 6ports.

TrusGuard is based on high-performance hardware platform and the S/W architecture design

optimized for the specific platform.

To achieve high-performance when running multiple functions, every model of TrusGuard (except the

SOHO model) is configured with a multi-core platform and optimized architecture design.

* The above performance can vary depending on the client‟s individual network environment.



IPS

ec V

PN

Tu

nn

el

TrusGuard Features – IPSec VPN

With TrusGuard, you can establish VPN network with enhanced security response capability in

HQ-branch and PC-office.

Using IPSec VPN as the default function, TrusGuard provides a secure way of communicating through the

public network. Also, when the firewall/IPS function is synched for traffic inside the VPN tunnel, it can

prevent the internal spread of malicious codes.

Support for

IPSec standard

• Supports tunnel mode, ESP, AH, ESP+AH.

• Can be synched with IPSec standard products.

• Supports encryption algorithm like 3DES, AES, SEED, ARIA.

• IKEv1, IKEv2, manual support

• Supports hub & spoke, star, mesh structure.

NAT Traversal • Supports IPSec in NAT environment that uses private IP.

Dual Line • Supports VPN Line Take Over via ADSL (2 lines or more)

DPD • Real-time automatic transfer by detecting host status

Firewall/

IPS synch• Firewall/IPS policy can be synched for VPN packets.

- Prevents spread of malware through VPN tunnel.

Bypass of other

IPSec packets

• Can bypass IPSec packets for other appliances.

- Provides flexible response for enterprises that use various

security appliances.

Scalability• Supports the synch with L4 for expanded throughput.

• Supports bridge over IPSec.

VPN Accelerator• Provides high-performance VPN through the equipped

hardware accelerator. (TrusGuard 1000 model)

HQ

Branch

Remote

connection

Connects SSL VPN

High-performance VPN communication through hardware acceleration

Other functions• Supports split tunnel function.

• Prevents replay attack.

• Standard PKI synchronization (X.509)



TrusGuard Features – SSL VPN

Internet

DMZ

Server farm

University department network

Backbone Network

Department A Department B Department C

TrusGuard

Branch Z

SSL VPN Tunnel

IPSec VPN Tunnel

TrusGuard provides a flexible VPN network with enhanced security that meets the client‟s

environment.

TrusGuard allows the flexible setup of VPN network as both IPSec VPN and SSL VPN are supported in the

same appliance.

- When connecting SSL VPN, AhnLab Online Security (PC firewall/ Anti-Key logger Program) is automatically

installed, then, the security status of the connected PC is checked to strengthen the internal security of the

enterprise.

AhnLab Online

Security

installation

TrusGuard effectively prevents the spread of worm/Bot infected from the branch to the HQ system through

powerful IPS-synch function.

Malicious

traffic in

VPN Tunnel



TrusGuard Features – IPv6 (to be provided in May, 2010)

TrusGuard supports IPv4 & IPv6 dual-stack security setting in real network environment.

Server farm

Internet

TrusGuard

HQ

IPv6

network

IPv6 network

IPv6 web

server

Tunneling

over IPv4

IPv4

Internet

TrusGuard provides full security for various network environments where IPv6 is applied.

TrusGuard

IPv6 packet

filtering

algorithm

Fully supports

many IPv6-related

routing/transitions.

Fully supports

both IPv6 & IPv4

combined

network.

IPv6

Stateful Inspection

Transition technology(tunneling, translation)

IPv4 & IPv6

dual-stack support

NAT & Logging

DHCPv6, RA

IPv6 routing

(Ripv6, OSPFv6)



TrusGuard Features – Integrated Security Infrastructure

TrusGuard can “create/maintain/deliver” the differentiated security response contents.

ASEC

• Malware collection & analysis of trend• Analysis of NW attack trend• Proactive Prevention• Writing/Distribution of signature

CERT

• No. 1 managed security provider in Korea• Provides managed security service to major clients. • Real-time response to NW attack

Outbreak PreventionZero-Day Attack Prevention Up-to-date & Accurate

• Prevents vulnerability estimation.

- Pre-distribution of signature for

predicted ‘vulnerability attack.’

• Microsoft MAPP Partnership- A program for pre-sharing security patch

info.

• Early prevention of malicious codes/attacks

- Distributes signature for preventing

early spreading.

• 2~3 signature updates per day

- Maintains up-to-date signatures.

• Collaboration with internal CERT (Managed Security Center)

- Can detect & respond to the real-time attack occurring in the client’s sites.

• 24*7*365 support - When emergency arises, rapid response

is provided.

* ASEC : AhnLab Security E-response Center * CERT : Computer Emergency Response Center

The core competence of TrusGuard lies in the security infrastructure like ASEC/CERT/ACCESS that provides an effective respond to increasingly diverse and malignant security threats.

Collaboration

Acquire & respond to the real-time attack/threat information.

ACCESS (AhnLab Cloud Computing E-Security System)“A centralized, real-time threat monitoring & analysis

system based on cloud-Computing technology”


마스터 부제목 스타일 편집[Zero-day Attack Prevention Examples]

Phase 1 : Pattern estimation and

distribution of the prevention policy

Phase 2 : Distribution of the

early-prevention policy

Phase 3 : Distribution of the

prevention policy for network worm

Vulnerability reported. Attack emerged. IPS Signature distributed.

AST & CDN service

Sample collected.

Zero-day PreventionOutbreak

Prevention

Example #3. Attack on server service vulnerability (RPC

vulnerability attack)

2008/10/23 : MMPC reported the emergence of a worm.

2008/10/23 : MS announced the emergency security

patch.

2008/10/23 : TrusGuard signature was distributed.

Example #1. Attack on IE memory corrupt vulnerability2009/02/10 : Vulnerability reported.

2009/02/10 : TrusGuard signature for estimated attack was

distributed.

2009/02/11 : Microsoft announced the security patch. 2009/02/18 :

Public disclosure of the executable attack code.

[3-Phase Defense Mechanism]

Example #2. Microsoft Access Active X remote exploit

2008/07/18 : First discovery of the vulnerability (Chinese

community website)

2008/10/23 : TrusGuard signature for estimated attack was

distributed.

2008/10/28 : A website that spreads the malicious code

exploiting the vulnerability was sighted.

TrusGuard Features – Integrated Security Infrastructure

TrusGuard, using its 3-phase defense system for various security threats, can provide powerful protection

against zero-day attacks and emergent attacks to your system.

TrusGuard can “create/maintain/deliver” the differentiated security response contents.



TrusGuard Features - IPS

TrusGuard is very powerful combating various vulnerability attacks and malicious codes.

TrusGuard possesses more than 6,000 security response rules, the largest of any worldwide IPS and,

through ASEC, provides 24*365 monitoring/analysis service, daily 2~3 update service and emergency

response service.

TrusGuard

IPS function

• World‟s largest security response signature (6,000)

• 2~3 signature updates per day

- Up-to-date & accurate signatures

- Reliable update environment through CDN

• Prevention of various network-base attacks/malwares

- Please refer to the IPS response list below.

• MSPP partnership with Microsoft

• Real-time monitoring/analysis system for various

security threatsTrusGuard IPS – rules that are internally

monitored/written.

▶ Prevention of vulnerability

attacks ◀

• Application vulnerability

- OS/ IE/ ARP Spoofing, etc.

- Shell Code

• Web vulnerability (OWASP

vulnerability

- SQL injection, XSS vulnerability, etc.

- CGI/ IIS/ MISC vulnerability, etc.

▶ Prevention of network-

based attacks ◀

• Scanning attack

• NetBios/ RPC attack

• DoS attack/ Backdoor

• P2P/ Instant messaging

• Protocol anomaly

• Others

▶ Blocking of malware

source ◀

• Web monitoring system

• Use of SiteGuard DB

• Operation of active honey

pot

▶ Prevention of malware

attacks ◀

• Worm

• Bot/ BotNet

• Trojan

• Spyware/ Downloader

• Mass mailer

• Dropper

Analysis of VRS

vulnerability

BotNet management

system

WebMon

system

DDoS monitoring

system

Managed security service

Intrusion log analysis system



TrusGuard Features – Prevention of Web/Application Vulnerability

Attacks

TrusGuard provides superb protection against ever-increasing attacks that exploit web &

application vulnerabilities.

TrusGuard provides the phased defense mechanism against popular web attacks like SQL Injection,

XSS(Cross Sites Scripts), etc.

* ASEC (AhnLab Security E-response Center) : A specialized unit in AhnLab that provides monitoring/analysis of malwares/attacks, response service and signature writing.

[Phased response mechanism against web

vulnerability attack][Example of phased prevention of web vulnerability

attack] Prevention 1 : Prevent vulnerability

attack on web server.

• Prevents attacks that exploit vulnerabilities in web server

like SQL/ PHP Injection, XSS, CSRF, etc.

• Blocks access to the malware passing point server by

internal clients PCs.

Prevention 2 : Block access to the sever

in malware passing point.

• Prevents access to the server in malware spreading

points by internal client PCs.

Prevention 3 : Block access to the

server in malware spreading point.

• If connected to the server in spreading points, TrusGuard

blocks the downloading of the vulnerable attack code to the

internal client PCs.

Prevention 4 : Block downloading of the

vulnerability attack code.

Vulnerability #1

Vulnerability #2

Vulnerability #3

Vulnerability #n

•••

Passing point

Spreading

point server

Attacker

Prevent 1

Prevent 4

Prevent 3Prevent 2

TrusGuard

Attack target

Web server

Infect

Redirection

TrusGuard is equipped with signatures that effectively protect 10 vulnerability attacks on web application

selected by OWASP and these signatures are updated 2~3 times per day through ASEC.

Internet



TrusGuard Features – Detection/Block of Zombie Malware

Block malware

spreading point.

Block spreading of Bot.

Prevent malware attack.

Prevent vulnerability attack.

Block internal infection

by Bot.

Prevent internal

infection by Bot.

BotNet

Block C&C

communication.

Block external

spreading of Bot.

Prevent external

spreading of Bot.

TrusGuard detects zombie malware and prevents infection and spread of zombie malwares.

TrusGuard not only prevents DDoS using Bot but prevents the infection of internal PCs by Bot as well.

Also, even if internal PCs are infected by Bot, TrusGuard protects client‟s network by performing various

operations to prevent the running of Bot.



TrusGuard Features – ACCESS-synched Removal of Zombie Malware

TrusGuard provides the real-time detection/prevention of active zombie malware (Bot) through synch with ACCESS system based on cloud-computing technology.

Prevents spreading of zombie PCs.

Program info.

Reputation system

File activity trend

Behavior-based aactivity

Relations among files

Malware distribution route

① Detects abnormal network behavior of a certain file.

Threat Info-Gathering System

② Monitoring of the same behavior

③ Real-time analysis

④ Apply the analysis result in real time.

Enterprise

TrusGuard

Block zombie malwares.

The ACCESS-based DDoS monitoring system is AhnLab’s unique monitoring and analysis system for zombie malwares. With information gathered from 10 million sensors for detecting zombie malwares, it provides real-time analysis & response service.



ACCESS

(DDoS

Monitoring

System)

ASEC

Sensor

DDoS monitoring system

Bot malware activity info.

Applied to TrusGuard

Sensor

Sensor

• Prevention of zombie malware

- Provides block signature for accessing the server in spreading point.

- Provides block signature for accessing C&C server.

- Provides block signature for infection/downloading of zombie malware.

- Provides block signature for synched update among malwares.

Bot malware file

TrusGuard Features – ACCESS-synched Prevention of Zombie Malware

TrusGuard provides real-time detection/prevention of active zombie malware (Bot) through synching with our ACCESS system based on cloud-computing technology.



DMZ

Server FarmTrusGuard 1000

TrusGuard 500

Distribution NetworkBranch

TrusGuard 100

Internet

Core Network

② PC quarantine & automatic

repair

② PC quarantine & automatic

repair

VPN Tunnel

Headquarter

TrusGuard Features - NAC

TrusGuard provides NAC function through synching with end-point security solutions.

TrusGuard is synchronized with V3, an anti-virus product by the same company to…

① prevent access by PCs without APC Agent that performs „V3 installation & up-to-date V3 update.‟

② quarantine infected PCs from internal network and to perform automatic repair. (when using IPS

license)

V3 V3 V3 V3 V3 V3 V3 V3

① Network access control & redirection

to APC agent installation page

PC without APC agent

Though this, TrusGuard prevents the infected PCs from spreading to internal networks and above all, it

strongly blocks the activity of zombie malware through synch with DDoS monitoring system.



TrusGuard Feature – Defense against DDoS Attack

TrusGuard provides strong protection from DDoS attack, a major type of network attack.

TrusGuard is equipped with a special DDoS defense engine, that is delicately phased and currently in

overseas patent-pending.

1st Phase : Runs DDoS detection engine.

- When the certain threshold session is reached, it is judged as a DDoS attack.

2nd Phase : Runs anti-spoofing protection.

- Performs filtering of packets that are spoofed through virtual response to TCP connection attempts under attack situation.

3rd Phase : Runs dynamic protection.

- For packets decided as attacks after real-time analysis of packets under attack situation, the rate-limit is applied.

4th Phase : Runs segment protection .

- Performs self-learning of session statistics on connections per source IP segments during the normal time.

- Blocks the IP segment with abnormal session connection after deciding it as attack under attack situation.

5th Phase : Runs HTTP BotNet protection.

- Blocks large volume of HTTP BotNet attacks that occur after connecting to TCP session.

Overseas patent

No. 2007-114875

*Financial Supervisory Service (FSS): Korea‟s government agency which monitors and audits all financial institutions operating in Korea, and impose sanctions

against those which violate the financial regulations of the nation.



TrusGuard Feature – Defense against DDoS Attack

TrusGuard is equipped with protection functions against a DDoS attack of various sorts like the list below.

TrusGuard provides strong protection from a DDoS attack, a major type of network attack.

Direction Attack Category Attack Type Prevention Type

Inbound DDoS Attack

TCP Flooding Attack

• TCP SYN Flooding • TCP SYN Flooding Spoofing• TCP ACK Flooding • TCP ACK Flooding Spoofing• TCP NULL Flooding • TCP NULL Flooding Spoofing• SYN-ACK Flooding• RST Flooding• IP Random Fragment Flag

• Filtering by the special DDoSengine

UDP Flooding Attack• UDP Flooding• UDP Flooding Spoofing• IP Random Fragment Flag

ICMP Flooding Attack

• ICMP Echo Flooding• ICMP Echo Flooding (Spoofing)• ICMP Echo Reply Flooding• ICMP Echo Reply Flooding (Spoofing)

HTTP Attack• BotNet Attack• CC (Cache-Control) Attack

Other Attacks• Confuse TCP/UDP/ICMP Flooding• Confuse TCP/UDP/ICMP Flooding Spoofing

OutboundDDoS Attack

Internal zombie PCs• Download zombie program from malwarespreading websites

• IPS signature-based filteringExternal attack by internal

PCs

• Attack on external target servers by internal zombie PCs

Preventable attack patterns are constantly updated by AhnLab ASEC & the DDoS Special Unit.



TrusGuard Features – Anti-Virus

TrusGuard uses V3 engine that is proven in worldwide for its superiority in virus filtering.

TrusGuard fully blocks the intrusion of malware to the internal network by utilizing 20 years of virus analysis technology and DB of V3.

TrusGuard has a powerful advantage in preventing malware that change in real-time because it uses a proprietary internal AV engine.

V3 is an internationally acclaimed anti-virus engine which won several international certificates like „VB 100‟ and „Check Mark.‟

INTERNET

AhnLab

CDNASEC

Virus/Malware

V3 engine

update

(Regular/Freque

nt/Emergency)



TrusGuard Features – Anti-Spam

TrusGuard uses a powerful, world-class spam engine for spam filtering.

Detection of spam from

130 nations

• Distribution Pattern Base

• Structure Pattern Base

Detects spam mail.

Detects E-mail virus

outbreak.

“97% spam filtering rate”

“False-positive rate of 1

in 1.5 million”

TrusGuard uses a Global Anti-Spam Engine that is used by more than 100 customers worldwide.

TrusGuard features superb spam filtering rate of 97% and a very small false-positive rate of 1 in 1.5 million.

TrusGuard also provides preemptive filtering function against the “unknown virus” that is distributed via E-mail.

Spam Detection

Engine

• Powerful spam filtering

• Preemptive filtering of

unknown E-mail viruses



TrusGuard Feature – Total Web Access Filtering

TrusGuard can prevent intrusion by malware to the internal network though blocking access to

not only non-work related websites but malware distribution sites/phishing sites as well. (to be

provided in May, 2010.)

DMZ

Server farm

TrusGuard

Internet

Non-work

related sites

DB

Blocks synch.

SiteGuard

DBBlocks synch.

Blocks access to non-work

related websites.

Blocks access to malware

distribution URLs.

Blocks access to phishing

sites.

* TrusGuard-SiteGuard synch service is planned to be

provided in May, 2010.

TrusGuard is equipped with its own DB on malware distribution sites that have become major sources of

malware distribution. This DB is updated in real-time to provide up-to-date protection.



12. Analyzing various security threat events and monitoring & reporting should be available.

TrusGuard UTM provides detection, prevention, and analysis of security events including firewall, IPS,

anti-virus, and anti-spam through a “Single Interface.”

Firewall

Log

VPN Log

Anti-Spam

Log

Anti-Virus

Log

IPS Log UTM

Log Server

• Log collection/storage

• Security threat analysis and graphical display

• 50 types of security reporting

- User-defined integration report configuration

[UTM Log Server Functions] [Log Server UI Sample]

▪ Real-time Monitoring

- Real-time display of attacks

- Top 10 Information: By user, attack type, or service type

- Real-time session monitoring

▪ Various analysis tools

- Attack patterns & trend analysis

- Tracing details through Monitoring UIs (Drill-down)

- Event IP monitoring

▪ Administrator Alerting

- Threshold setting and event alerting (E-mail )

Special Advantages of AhnLab TrusGuard UTM - LogServer

26



TrusGuard Features – AhnLab TrusGuard Manager

TrusGuard provides the management tool for efficient control of many appliances.

TrusGuard Manager is a management tool for controlling many TrusGuard appliances. Chief among its

major advantages are “user-oriented simple & dynamic UI” and “powerful monitoring function of

management appliances.”

○ Powerful monitoring environment

- System status information of the entire

management appliances

- Network usage status of the entire

management appliances

- Interface error status of the management

appliance

- Health check of the management

appliance

- VPN connection status of the

management appliance

○ Integrated policy profiling technique

○ Easy setting of IPSec VPN

○ Drag & drop group configuration

○ LogServer Single Sign-on

○ Supports DB2 (freeware

version).

○ AST synch function

* To be provided by end of 2009.

○ Differentiated look & feel

○ Dynamic & simple UI

○ User-oriented low depth structure

○ Graphical monitoring

Specialized

visualization

Simple policy

setting/manag

ement

Powerful

monitoring

Many value-

added

functions



Real-time monitoring of the

entire management

appliances

TrusGuard Features - Manager

TrusGuard provides the management tool for efficient control of many appliances.

Manager Overview



Customer Benefits



Customer Benefits

1. You can build a reliable and flexible high-performance network security environment.

Internet

③

① ②

②

① Reliable and flexible high-performance

firewall.

- Can configure H4 without L4 equipment. (A-A, A-S)

- Can control HA separately for VLAN trunking port and

VLAN port.

② Flexible VPN with enhanced security

- Prevents intrusion by malware into internal networks by

strengthening the network perimeter security among

branches. (IPS/AV function is on.)

- Effectively prevents spreading of internally-infected

malware like worm/Bot to the entire internal network

through VPN.

Filtering by synching with IPS/AV

NAC by synching with V3

- The use of IPSec VPN and SSL VPN can be mixed to

meet the customer‟s environment.

③ Detection of zombie PCs & Prevention of

malware spread - System and knowhow to detect & analyze malwares

. BotNet information management system / WebMon

system

. DDoS monitoring system (with 1 million sensors)

-Detects and prevents spread of zombie malware in

real-time.

- . NAC by synching with V3



- Prevention of threats in branches : Prevents infection by worm/virus.

Customer Benefits

2. The spread of malware to entire networks can be prevented by detecting and blocking

malware/Bots.

• “Enhancing security of branch VPN traffic” that is flowing into HQ via VPN

- Applying of security policy to VPN traffic that flows from branched to HQ & synching with IPS

• “Prevention of malware spreading among distribution networks” in HQ

- By implementing TrusGuard in the front area of segment network, internal spread and

external attack of worm/zombie can be prevented.

DMZ

Server FarmTrusGuard 1000

TrusGuard 400TrusGuard 500

Distribution Network Branch

TrusGuard 100

TrusGuard 100

AST

Internet

Core Network

Headquarter

③ ①

②

①②

③

. Prevention of branch-infected malware from spreading to HQs and attacking server systems.



Customer Benefits

3. You can build a network environment that is free from external security threats.

INTERNET

Worm

Bot

DDoS

Trojan

Spyware

Virus

Phishing

•••

• Security Threats are getting

“Complicated, Varied & Intelligent”

Unauthorized

User

Data

Sniffing

• AhnLab TrusGuard provides clean network environment through…

“firewall function based on stateful inspection”

“IPS & AV function for protection against external attacks”

“IPSec/SSL VPN function for safe communication with branches or

remote offices.

TrusGuard

• General firewall/VPN provides

“access control/anti-data sniffing”

functions only.

HQ

Branch Remote

Web vulnerability

OS/IE

vulnerability



INTERNET

Customer Benefits

1. Establishment of the network environment free from external security threats is possible.

(Continued)• Three-phased blocking method protects the network from “unknown network attacks.”

• 24*7 updates of blocking rule and signature through ASEC to prevent threats of “latest attacks.” KT

DACOM

Hanaro 1/2 Center

AhnLabAST Server

ASEC

AhnLabCDN

Service

* ASEC (AhnLab Security E-response Center)

Signature Update

Phase 1: Update the predictive prevention of blocking rules before the advent of the worms

Phase 2: Initial spread blocking rule

Phase 3: Signature update through sample analysis

- Distribution of predictive prevention rules for potential worms and attacks through OS vulnerability analysis.

- Proactive measures against worm variable patterns

- Application of the email filtering rule in the initial spread of the worms

- Sample collection and application of the signature made by ASEC

[three-phased Blocking]

ASEC‟s rich experiences in dealing with malicious code for the past 18 years ensures real-time monitoring and analysis of worms and viruses worldwide, and provides accurate and prompt signature updates.

29



High costs for Adopting the

Solution

Trouble Shooting Issue

Issue of Securing

Necessary Operation Workforce

Customer Benefits

2. Reduction of Total Cost of Operation (TCO)

Point SolutionMulti vender

solutions of differentservice levels

Firewall/VPN IPS/IDS Anti-Spam Viruswall Web Filtering

Point Solution

Risks

TrusGuard

Benefit

All in One Box

Simple

Maintenance

Efficient manpower

allocation

“With the cost of a firewall,

IPS and virus/spam

solutions can be built”

• Easy Trouble

Shooting

• Service continuity

can be guaranteed

with the provision of

bypass functions.

• Used not only for

security but also for

other operations.

•Greater productivity.

30



Customer Benefits

3. Removal of garbage traffic increases productivity and network efficiency.

[Firewall Only]

[After adopting TrusGuard UTM]

P2PSpamMalicious Code

Work Traffic

Websurfing

MessengerHarmful site- Securities/Gambling

Work Traffic

Websurfing

Work Traffic

Work Traffic

Websurfing

Websurfing

• Traffic filtering unavailable

• Wide-spread garbage traffic

• Compromised network resource efficiency

• Control by traffic type

- Spam blocking

- P2P Messenger control

- Harmful site access control

- Malicious code prevention

• Network cost reduction through traffic optimization

• Greater concentration and productivity



Implementation Case



Implementation Case: 00 City Hall (Firewall only)

Internet

1) Multi-core, high-performance TrusGuard allowed throughput.

- Flexible handling of volume increase of multimedia & Internet

contents.

2) Double-stack configuration of TrusGuard enabled high network

availability.

- Configuration of session synchronization and policy synchronization

3) Powerful access control based on stateful inspection method

○ Improved security configuration

- Single-core firewalls were removed and TrusGuard 1000 were

double-stacked.

- Active - Active High Availability setting

- Automatic backup by configuring OSPF setting in redundant router-

security appliance area

○ Benefits

• OSPF setting

• A-A HA setting

○ Weakness in old configuration

- Redundant configuration of single-core based low-end firewalls

couldn‟t handle the increase in traffic.

router

router

TrusGuar

d



Implementation Case: 00 Education Office (Firewall + SSL)

Internet

TrusGuard (Firewall)

1) Multi-core, high-performance TrusGuard allowed throughput.

- Flexible handling of volume increase of multimedia & Internet

contents.

2) Double-stack configuration of TrusGuard enabled high network

availability.

- Configuration of session synchronization and policy

synchronization

3) Security and availability in remote access by SSL VPN of TrusGuard

4) Enhanced security by connecting to SSL VPN

- Provides PC firewall and anti-keylogging to connected PCs by

installing AhnLab AOS.

- Deletes remaining cookies in PCs after connection is terminated.

○ Improved security configuration- The single-core firewall was removed and TrusGuard 1000 were

double-stacked.

- Active - Standby High Availability setting

- SSL VPN of TrusGuard were provided for remote/telecommuting

workers.

○ Benefits

○ Weakness in old configuration- Performance issue from using single-core based, low-end firewall

- Use of IPSec VPN Client for remote/telecommuting workers

Usability reduced due to many problems by disaster, maintenance,

installation problems, etc.

DMZ server

network

Internal server

network

TrusGuard

(SSL)



Implementation Case: 00 Newspaper (Firewall + IPS)

Internet

Image server Web server DB server

TrusGuard

(Firewall+IPS)

Web

firewall

1) By simultaneously running firewall and IPS,

- large volume of harmful traffic targeting web servers and

DB server can be filtered.

ex) web vulnerability attack (SQL Injection/ XSS attack)

- large volume of harmful traffic in web servers are first

filtered,

which results in reducing the performance overloading in

web firewall in the back.


- Removed simple firewall and TrusGuard 1000 were double-

stacked.

- Simultaneous running of firewall + IPS

- Active- Active setting through L4 switch

○ Benefits


- Many vulnerabilities due to simple firewall configuration in gateway

- Performance issue in web firewall due to a large volume of

unfiltered incoming traffic in web firewall

L4 switch

L4 switch



Implementation Case: 000 Political Party (DDoS)


- Service error due to DDoS attack occurred.

- Firewall was down due to instant overloading of sessions.

- Vulnerable to various hackings, network attacks and malware that

bypass firewall policy.

(Web/Application vulnerability attack, Worm, Bot, Trojan, etc.)

Internet

Web server

○ Benefits

1) Effective prevention of DDoS attacks

- Normal working of firewall due to prevention of DDoS attacks

- Prevention of DDoS attacks like tcp-syn, icmp, tcp-ack flooding,

etc.

- Internal service availability was guaranteed due to normal

working of firewall.

2) Blocking of many malware or attacks that cannot be prevented

by the firewall

- Worms, Bot, Trojan, Downloader, etc.

- Application vulnerability attack, DoS/ DDoS attack, etc.

3) Effective protection against attacks that exploit web

vulnerabilities

- Web application vulnerability attack (SQL Injection, XSS, etc.)

OS/IE vulnerability attack, etc.

Web server

C&C server

Attacke

r

Zombies

ControlControl DDoS


- TrusGuard was deployed as an exclusive DDoS protection

appliance in front of firewall in Internet gateway.



Implementation Case: 00 Dotcom (VPN Network)

Server farm

Internet

TrusGuard Center

TrusGuard TrusGuard

IDCBranch

Headquarter

IPSec VPN Tunnel

1) Security in branches was heightened to the level of HQ.

- Firewall, VPN, IPS, Anti-Virus, Contents Filtering, etc.

2) Blocks malware that coming through traffic in VPN tunnel.

- Firewall policy application for VPN traffic &

detection/prevention of malware by IPS

3) Redundant configuration of security appliances in HQ through

High Availability (Active-Active, Active-Standby) setting

- Can set up redundant configuration without session synch

technique & L4 switch.

4) Secure VPN channel between HQ and branches

5) Flexible SSL VPN setting for telecommuting/mobile workers

○ Weakness in old configuration- Because of simple VPN setting between HQ and branches that

provides encrypted communication method only, the malware infection

in data or unauthorized access could not be detected.

- Errors were frequent in IPSec VPN client in PCs of telecommuting

workers.

○ Benefits

Telecommuting/Mobile

workers

SSL VPN Tunnel

○ Improved security configuration- TrusGuard provided safe VPN channel between HQ and branches.

Runs firewall + IPSec VPN + IPS function simultaneously.

- TrusGuard allowed safe VPN channel between HQ and

DataCenter.

- SSL VPN channel for telecommuting/mobile workers

ATM



Implementation Case: 00 Gas Station (VPN Network) (1)

TrusGuard 50

Branch

Standby

Link Aggregation

Active

<Internet>

ATM(Integrated management)

C2950

Trunk

VPN Local network

Internet

TrusGuard 1000

TrusGuard 1000 TrusGuard 50

Branch

TrusGuard 50

Branch

TrusGuard 50

Branch

ㆍㆍㆍㆍ

Integrated policy setting

Center

DB



Implementation Case: 00 Gas Station (VPN Network) (2)


- Used an exclusive 256K data line for connection between HQ and gas stations under direct control.

Too expensive when using the exclusive data line.

- No additional system that can respond to security threats were present except the firewall in HQ.

Very vulnerable to worms and malware that are infected from the gas station, then, spread to the entire network


- Using IPSec VPN of TrusGuard, the connection between HQ and stations was configured in gateway-gateway setting.

- On a deployed TrusGuard, the entire functions of firewall, VPN, IPS, AV, anti-spam and website filtering were implemented.

○ Benefits

- The expensive fee for using the exclusive data line was reduced to the level of high-speed Internet broadband lines. Cost-

saving while maintaining security level.

- By running various security functions of TrusGuard, (IPS, Anti-virus, Anti-spam, Blocking harmful website, etc.)

The availability of the station network was ensured by blocking incoming threats at the network level.

By preventing the malware like worm and Bot infected in the station from spreading to internal network through

VPN tunnel,

1) The availability of VPN network between HQ and branches were ensured.

2) The major server systems in HQ can be protected from various security threats.

The synch with the DDoS monitoring system effectively prevents zombie malware from intruding and spreading

to internal network.



Implementation Case: 00 University (End-point Synch Security)

Internet

DMZ

Server farm

TrusGuard

School department network

Backbone Network

Dept. A Dept. B Dept. C

2) Prevention of malware in school departments from spreading to

the entire backbone network

- Minimizes the security threat (limited to department network)

3) Can provide NAC environment when synching with V3 in

PC/server.

- Synched security of TrusGuard-V3

- Quarantine of infected PCs from network and automatic repair


- By implementing firewall and IPS in the point of connection with Internet, unauthorized accesses or attacks from outside were

blocked.

- In school departments (distribution network), “TrusGuard” was deployed to partition the relevant security domain.


- Only a simple firewall was deployed in the Internet gateway, the network was vulnerable to attacks and malware from outside.

- It was impossible to prevent malwares/network attacks by internal PCs or by external authorized/unauthorized PCs that connect

to the internal network from spreading to the entire internal network.

○ Benefits

1) Security domains per school departments were

established.

- Different security policies per school departments (FW, IPS,

AV, etc.)

* NAC (Network Access Control)

ATM



Implementation Case: 00 City Hall (IPv6 Pilot Network)

IPv6 network

In 000 district office

IPv6 connected

network

6to4 relay router

Internet

AhhLab TrusGuard

AhnLab TrusGuard

IPv6 network

in 00 city hall6to4 Tunneling

6KANet

IPv6 connected

network

6to4

tunneling

IPv6

Firewall

RA

IPv6

PCs

IPv4 commercial

network

IPv6 client

network

IPv6 client

network

(Router Advertisement)

IPv6

PCs

IPv6

Server

TrusGuard is “Korea‟s only network security solution” that is implemented in the IPv6 pilot

network.



Detailed Functions



Specifications of Major Functions(1/6)

Firewall

Stateful Packet Inspection Type

Black & White list-Based Filtering

Guaranteed performance independent of policy and sessions

Various NAT functions : Static/ Dynamic NAT, Excluded NAT, NAT Traversal, Load-Sharing NAT, Twice NAT

IP/Port/ Firewall Policy-based QoS (Quality of Service)

Object-based intuitive set-up and easy-to-use management functions

Schedule-based policy setting(One-time, daily, weekly, monthly, yearly, a certain period)

Guaranteed availability: Active-Active, Active-Standby HA (without L4 switch)

Full-Mesh network configuration (without L2 switch), By-pass support

Password-based authentication, Internal OTP (One-Time Password) authentication, RADIUS linkage authentication

VoIP (SIP, H.323) Protocol Supported

Exporting Firewall policy function

Secure OS (ANOS)

40

Network

Route & Transparent Mode supported

Static & Dynamic Routing supported (RIPv1, RIPv2, OSPF)

Source Routing supported

Multicast Routing Protocol (PIM-SM)

802.1Q Vlan, 802.3ad Port Aggregation

DHCP Server/ DHCP Relay (in Bridge mode), DNS/ Split DNS

By-pass function supported

SNMP v1/ v2 supported

NTP supported

SIMS linkage supported


마스터 부제목 스타일 편집IPSec VPN

Manual Key, IKE, IKEv2

Gateway-to-Gateway / Client-to-Gateway VPN

Bridge mode over IPSec

3DES, AES(128, 192, 256), SEED, ARIA Encryption Algorithm

SHA 1, SHA 2(256, 384, 512), HAS 160-certified Algorithm

Hub & Spoke/ Star/ Mesh Architecture

NAT Traversal supported

Dead Peer Detection supported

PFS (Perfect Forward Secrecy) supported

Prevent Replay Attack

Split Tunnel

PKI Standard synch (X.509 standard synch)

other IPSec Traffic Bypass

Firewall/ IPS interface

Multi-line Load-balancing supported (More 2 Lines)

Supports encryption accelerator

VPN Traffic QoS supported

Supports powerful monitoring of the entire VPN networks / appliances

IPv6 지원(2010. 5

통합지원예정)

IPv4/IPv6 Dual Stack supported

- IPv4 & IPv6 simultaneous Processing

IPv6 Networking/ Routing/ Packet Filtering supported

- IPv6 Static/ Dynamic Routing (RIPv6, OSPFv6)

- IPv6 Tunneling (6to4, ISATAP) & Translation (NAT-TP)

- IPv6 Stateful Inspection-based Packet Filtering

- Static NAT, Dynamic NAT, Excluded NAT

- IPv6 Log Collection and analysis

Specifications of Major Functions(2/6)


마스터 부제목 스타일 편집Intrusion

Prevention

Packet-based network attack detection & prevention

Signature-based Intrusion prevention : Approximately 5,000~6,000 Signatures

- Signature regular updates(1~2 times per a day)

Behavior-based intrusion prevention

- Anti-Scanning, Anomaly detection, DoS/ DDoS prevention

User Defined Rules/ Signatures

- Configures exceptions to IP/port-based, or starting point/destination-based rules

Three-phased blocking method protects the 'Zero-Day' attacks

- Zero-Day Attacks Prevention (predict and vulnerability attacks)

- Outbreak Prevention (Prevent a spread of initial attack)

- Known Attacks Prevention

A capacity which provider makes owns Signature has its attack response

- A capacity to operate an organization which handle with viruses for 24 hours Provide a report of analysis.

Automatic and regular updates using AST(AhnLab Security Tower) and CDN(Contents Delivery Network)

MAPP(Microsoft Active Protections Program) partnership with Microsoft

Specifications of Major Functions (3/6)

SSL VPN

Gateway to Client VPN, User Level Access Control

IPSec VPN client level service

Stronger end-point security

- Keyboard stroke detection and firewall function upon initial access

Automatic installation of AOS(AhnLab Online Security) Firewall & AOS Anti-keyboard, and automatic deletion

- Deletion of HTTP cache and cookie data after usage

SSL VPN Dead Peer Detection

SSL VPN Client System Requirements: Window 2000/ Window XP/ Window Vista, higher than IE 6.0

SSL VPN Active-Stand by HA supported

Supports SSL accelerator(Optional)

Synchronization of internal DNS, WINS




41

IntrusionPrevention

Threat responses (Includes 5000~6000 IPS Signatures)

- Worms, Spyware, Trojan, Downloader, Dropper, Mass-mailer, Phishing, Bot/ BotNet Prevention

- Backdoor Prevention - TCP Reassembly, IP Defragmentation Prevention

- NetBios attack - RPC attack

- Application/ Web attack Prevention (10 weakness of OWASP)

. SQL/PHP Injection, Cross Site Script (XSS), Cross Site Request Forgery (CSRF) etc.

. Attack through an weakness of IIS/ CGI/ MISC/ PHP

. Attacking through an weakness of OS/ an weakness of Internet Explorer, etc.

. . ARP Spoofing, Botnet control, etc, Shell Code, Script, Web Monitoring

- DoS, DDoS, Scan Prevention - Exploit Attack Prevention

- E-mail Attack Prevention - DNS Attack Prevention - Anomaly Prevention

- Prediction and blocking of unknown attacks

- Block a P2P / Instant Messenger

- Signature update history management, Help provide signature

DDoSProtection

Contains dedicated engine to defend against DDoS attacks

TCP Flooding Prevention

- TCP SYN Flooding (Spoofing), TCP ACK Flooding (Spoofing), TCN NULL Flooding (Spoofing)

- Defends against SYN-ACK Flooding , IP Random Fragment Flag, RST Flooding attacks

UDP Flooding Prevention

- Defends against UDP Flooding (Spoofing), IP Random Fragment Flag attacks

ICMP Flooding Prevention

- ICMP Echo Flooding (Spoofing), ICMP Echo Reply Flooding (Spoofing)

HTTP BotNet Attack Prevention

- Defends against HTTP BotNet Attack

- Defends against CC (Cache-Control) Attack

Prevents other attacks

- Defends against Confuse TCP/UDP/ICMP Flooding attacks




Anti-Virus

File-based virus, malicious code detection & prevention

Threats: Virus, Trojan, worm, spyware, adware, phishing, spam, and malicious sites

e-mail Virus in advance (Outbreak Prevention)

Supporting protocols: HTTP, SMTP, POP3, FTP, Oracle, and General TCP

Scan a zipped file (Enable to scan it maximum 5 times), File extension

24-hour monitoring & analyzing various threats in ASEC

24/7 real-time update through CDN (Contents Delivery Network)

Performance optimization through load sharing

Quarantine through detection of infected systems

Anti-Spam/Web Filtering

Spam Mail Blocking: Scan SMTP, POP3

RBL (Real-time Black List) & RPD (Recurrent Pattern Detection) engine-based spam detection

User-defined keyword-based spam blocking

- Keyword(title, content), Regular/ Wildcard

Support an allowed Mail List (IP Address from sender/ E-mail address)

Spam Mail in Quarantine: Certain Mail account forwarding and Saving

Website Filtering

- Interface with the database of the Korea Communications Standards Commission and blocking of user-

defined URLs

- User-defined websites filtering supported (wildcard supported)

- Configures exceptions to starting point/destination-based websites filtering

42

Proxy

supported proxies : HTTP, POP3, SMTP, FTP, Oracle, DNS, UDP, General TCP

Active-X, JAVA Script, Applet, VB Script, Textrea tag, other tag blocked

Block a command (FTP, SMTP)

Block a Mail Relay (SMTP)

Block showing internal IP information to outside




NAC

Network access control by linking with APC, the V3 anti-virus solution management program

- PCs that do not have APC installed have their internet access controlled and be redirected to an installation page

- PCs infected with malicious code are quarantined from the network and forcibly repaired by APC

43

Log Server

External Log Server (Separate S/W installation)

Real Monitoring of System/Firewall/IPS/Anti-Virus/Anti-Spam

Security Log Store/Collect/Analysis & Display

- More than 50 various analysis report

IntegratedManager

External Integrated Manager (Separate S/W installation)

- Manages multiple appliance

- Policy setting in a multiple appliances

- Real-time Monitoring of management appliance.

Monitoring Real time Monitoring of Log Data(System/Network/Firewall/IPS/Anti-Virus/Anti-Spam)

A statics of various analysis information

TrafficManagement

(QoS)

Traffic bandwidth guaranteed for the entire traffic, by IP and by port

Supporting manual set-up and automatic set-up based on filtering results

QoS for each policy for traffic control

Policy/Schedule-based QoS support

Traffic shaping and policing support



Specifications



Category TrusGuard 50 TrusGuard 70 TrusGuard 100P TrusGuard 400 TrusGuard 500TrusGuard

1000

TrusGuard

10000

Line-up

Operation

Mode

Route Mode /

Transparent Mode

Route Mode /

Transparent Mode

Route Mode /

Transparent Mode

Route Mode /

Transparent Mode

Route Mode /

Transparent Mode

Route Mode /

Transparent Mode

Route Mode /

Transparent Mode

CPU Single Dual Dual Dual Quad Quad Exclusive Multi Core

10/100 Switch 4 4 - - - - -

Giga Port

(Copper) 4 4 6 4 4 4 8

Giga Port

(Fiber)- - - 2 4 8 8

10G Port - - - - - -2

(4 ports for expansion, Copper 1G * 8, except)

BypassSupport Bypass

(Copper

Support Bypass

(Copper

Support Bypass

(Copper)

Support Bypass

(Copper/ SFP)

Support Bypass

(Copper/ SFP)

Support Bypass

(Copper/ SFP)

Support Bypass

(10G/ SFP)

Firewall

Throughput150Mbps 300Mbps 600Mbps 1.2Gbps 2Gbps 4Gbps 20G

Firewall+IPS 80Mbps 240Mbps 400Mbps 800Mbps 1.2Gbps 2Gbps -

Max Session 300,000 500,000 1,000,000 1,300,000 1,500,000 2,000,000 5,000,000

Sessions /

second6,000 6,000 10,000 15,000 20,000 27,000 100,000

VPN Tunnels 500 1,000 5,000 8,000 12,000 20,000 -

Size

(W×D×H mm) 428x44x300 428x44x300 431x44.4x361 mm 424x88x530 426x88.8x584 426x88.8x584 431.8x88x580

Environment

Operating

temperature :

0~40 deg C

Storage temperature :

-20~75 deg C

Operating

temperature :

0~40 deg C


-20~75 deg C

Operating

temperature :

0~60


-20~70

Operating

temperature :

0~40oC

Storage temperature

:

-20~80oC

Operating

temperature :

0~40

Storage

temperature :

-20~70

Operating

temperature :

0~40

Storage

temperature :

-20~70

Operating

temperature :

5~35

Storage

temperature :

0~70

Power 150W Single Power 150W Single Power 1U ATX SPS / 180WRedundant

460W/each

Redundant

600W/each

Redundant

600W/each

Redundant

500W

H/W Specification



Summary



Price/Performance

Small &

Branch

Middle Sized Enterprise Data Center

TrusGuard 50

TrusGuard 70

TrusGuard 100

TrusGuard 400

TrusGuard 500

TrusGuard 10000

TrusGuard 1000

Firewall

DDoS

IPSec & SSL VPN

IPS/ AV/ AS/ Web

IPv6CCLog

Server

Integrated

manager

Features

TrusGuard: High-Performance/High-Quality Network Security

TrusGuard fully protects your assets through a high-performance firewall/VPN & provides high-quality security response capability.



Appendix. Main UI View



Prevention of Major Attacks: Sample

1. Defense against DDoS attack

Blocked DDoS attacks

- ICMP Flooding/Trinoo, etc.




2. Defense against SQL injection attack

Blocked SQL injection attacks

- WEB-MISC Demarc, etc.




3. Defense against worm attack (1)

Blocked worm attacks

- Exploit, Active X attack, etc.



Blocked worm attacks

- BAD-TRAFFIC data, etc.


3. Defense against worm attack (2)




4. Defense against spyware attack

Blocked spyware attacks

- Win32-Trojan

- Win-Spyware, etc.



Main UI View

1. Detailed monitoring screen (1)

“Graphical display” of network statistics

Monitor type

Network

usage

Usage by

protocol

Usage by

service



Main UI View


Monitor type

Statistics by

perceived risk

level of attack

IPS

detection/block

log

Top 10 attacks

“Graphical display” of threat detection/block statistics by IPS



Monitor type

Virus

statistics by

protocol

Virus

detection/block

log

Top 10 viruses

Main UI View


“Graphical display” of detection/block statistics of virus attack



Main UI View


“Graphical display” of detection/block statistics of spam mail

Monitor type

Spam mail

block

statistics by

filter

Spam mail

detection/block

log

Top 10

Spam mail



Monitor type

Website

filtering

statistics by

filter

Harmful website

detection/block

log

Top 10

Filtered

websites

Main UI View


“Graphical display” of detection/block statistics of harmful websites



Appendix.



Appendix. ASEC – Overview

24*365 service

• ASEC monitors, analyzes and responds

to new threats from around the world 24

hours a day.

• ASEC provides integrated signature for

various threats occurring in networks, PCs,

servers, mobile devices, etc.

Integrated signature for

network & end-point

Regular analysis

information

• ASEC provides detailed information on

malware and vulnerabilities. Through ASEC

reports, trend on security threats is

provided.

Monitoring/analysis

systems for various threats

• ASEC Intelligence NetworkTM

• BotNetTM : BotNet information management system

• WebMonTM : Website monitoring system

• BlueBoxTM : Malware packet gathering system

• Competence analysis system for vulnerability

signature (planned.)

ASEC (AhnLab Security E-response Center) is a global security response unit by AhnLab consisting of the best malware analysts and security experts.



Malware

outbreak

Sample

analysis

Sample

collection

Emergency

response

decision

Detailed

sample

analysis

End of

emergency

response

Distributes

analysis info. Writes engineQA

test

Engine

upload

Appendix. ASEC – ASEC Response Process

ASEC (AhnLab Security E-response Center) has been providing powerful security service

through „malware & vulnerability analysis and response process‟ for more than 15 years.



File analysisSymptom

analysis

Information

analysis

Code

analysis

Writes

engine

1. System analysis

2. Process

analysis

3. Registry

analysis

4. Network

analysis

5. Other analyses

1. Additional

analysis of

symptoms

2. Gathering of

various

information

3. Check relevant

matters.

1. Dis-assembling

2. Debugging

1. Malicious code

decision

2. Produces

diagnosis

signature &

function.

3. Writes analysis

info.

1. File form

analysis

2. In-use API

analysis

3. String analysis

• Vulnerability exploitation

• Use of executable compression technique

• Use of rootkit

• Sophistication of concealment technique (file, process)

• Use of polymorphic technique• Leakage of private information• Spyware + Trojan horse• Various infection methods

Dynamic Analysis Static Analysis

Appendix. ASEC – Security Threat Analysis Methodology

ASEC‟s security threat analysis methods are as listed below.



Through organic synch of „ASEC-CERT‟, AhnLab provides effective responses to active

malicious codes and attacks.

INTERNET

KT

DACOM

SK

AhnLab

AST Server

AhnLab

CDN

CDN/AST

ASEC CERT

ClientsSignature

Update

AhnLab Security E-response Center Computer Emergency Response Team

Threat monitoring & response

Real-time response to threat/attack report from

CERT

Security response prior to security patch though

MAPP partnership with Microsoft

Real-time attack/threat information gathering

through managed security clients

Delivery of real-time attack/threat information

to ASEC

By applying the threat monitoring & analysis information by ASEC-CERT in real time, AhnLab provides

effective protection against zero-day attack.

Appendix. ASEC – Synch with CERT



Security partners

(Government/Overseas)

SMBs

V3 MSS

SiteGuard

V3 IS 8.0

SiteGuard

APC 4.0

SiteGuardSecurity

Center

TrusGuard

Large enterprises

Game/

Banking

AOS

HackShield

Comprehensive threat

analysis system

N/W threat info.Malicious codes

Dangerous URLs

CERT ASEC

Monitoring / Response

Smart

Defense

SiteGuard

Heuristic

Managed

security

center

Security management infrastructure

V3 EngineTrusGuard

Signature

Individual users

V3 365

SiteGuard

Mobile Security

Data center/service provider New

SiteGuard

DatabaseSmart Defense

Database

Appendix. ACCESS system diagram(AhnLab Cloud Computing E-Security System)

ACCESS, a comprehensive threat analysis system by AhnLab based on clouding computing

technology, provides prompt and effective response to fast-changing security threats.



Beyond Security, More than Security

AhnLab TrusGuard

Thank you.

Documents

AhnLab TrusGuard Standard Proposal Eng