Embed Size (px)
Citation preview
善用可視化訊息保護校園網路安全 如何簡化整體資安架構並提昇應用效率 資安訊息派送平台 – Security Delivery Platform
Simon Chien 錢旭光 Regional Sales Director Taiwan & Vietnam
2 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
� 成立於 2004年美國加州,2005年第一個產品交貨–2013年六月在NYSEIPO� 創造了DataAccessNetwork–現在稱為UnifiedVisibilityFabric架構� 多項專利技術 –13項專利,28項申請中� 超過 2000個集團大型客戶使用GigaVUE,分布在 60多個國家� 美國開發與生產
� 超過75個世界 Fortune100公司已採用Gigamon的方案
Gigamon Inc. – 美商奇望 The Company. The Team. The Results.
3 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
Q4 2014 Q1 2015 Q2 2015 Gigamon 18.9% 47.5% 47.6%
49.2% ( Net Optics ) -19.2% ( Net Optics )
47.1%
11.6%
Based on financial reporting.
Gigamon – Visibility 產業的領先者
Gigamon 與 競爭友商業務成長比較 (最近10季度)
4 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
Source: Gartner Trends Telecom Forecast (March 2014)
全年資安預算執行了數百億美元的安全防範 投資不可謂不多了
FIREWALL/VPN 設備�
$6,721M
IPS
$1,520M 具資安功能 ROUTERS
$968M
企業網路安全設備防毒, EMAIL; WAF,NAC … $9,209M
5 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
資安問題卻不斷發生 – 規模之大令人震驚
*http://variety.com/2014/film/news/sony-hack-unparalleled-cyber-security-firm-1201372889/ +http://www.opm.gov/news/releases/2015/06/opm-to-notify-employees-of-cybersecurity-incident/ ++http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/
“Sony公司CEO, Michael Lynton, 告訴員工, Sony公司嚴密的資安防護網因被黑客駭入而員工個資及內部資料被竊取的狀況空前嚴重” *
“…美國人事行政局 (OPM) 指出大約有22.1M 個人資料已被盜用 … ” +
“美國第二大健保公司安泰公司, Anthem Inc. , 正式宣佈約有8千萬客戶資訊被盜用 ” ++
6 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
未來的校園網路與資安會有什麼變化嗎?�
校園網管與資安的人力不會增加! 而預算更會逐年減少!
校際合併更增加管理與資安的複雜性!�520後; 對岸網軍的攻擊是否加劇? 駭客竊取資料的APT攻擊行為更多!
7 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
• 當今網路資訊安全的架構趨勢已由防堵(Prevention)模式轉化為偵測與立即反應 (Detection & Response) 模式
• 此種資安運作模式必須仰賴一套整合式的資安聯結架構, 以供各種不同資安設備的佈建與擴充
• GigaSECURE是業界首套資安訊息派送平台 (Security Delivery Platform) , 此架構將轉化現有資安服務建置的方式 – 使資安設備更有防治效益, 更自動化, 更降低成本
給主任與網路資安組長的提醒 –
8 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
Introducing GigaSECURE®
業界第一套資安訊息派送平台
SECURITY DELIVERY PLATFORM
8 © 2015 Gigamon. All rights reserved.
9 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
是該將主動權由攻擊者手上移轉至防禦者的時侯了
如何鎖定資安威脅: 現有的資安佈建面臨巨大挑戰 視別訊務有地點或時間的限制
Internet
Routers
“Spine” Switches
“Leaf” Switches
Virtualized Server Farm
Intrusion Detection System
Data Loss Prevention
Email Threat Detection
IPS (Inline)
Anti-Malware (Inline)
Forensics
資安防禦的挑戰: • 整體網路盲點太多無法全面視別 • 為達資安效能要求導致成本極高 • 資安設備爭奪訊務流量的取得 • 訊務流量無法保持一致性 • 加密封包無法快速解密 • 導致太多假警報 false positives
10 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
Intrusion Detection System
Data Loss Prevention
Email Threat Detection
IPS (Inline)
Anti-Malware (Inline)
Forensics
網路可視性Visibility的革命: 資安訊息派送平台
Intrusion Detection System
Email Threat Detection
IPS (Inline)
Forensics
Data Loss Prevention
Anti-Malware (Inline)
Internet
Routers
“Spine” Switches
“Leaf” Switches
Virtualized Server Farm
資安訊息派送平台 Security Delivery Platform
按應用程式類型 獨立識別,進行有
目標性的檢測
提供加密流量的 可視性,保障加密
流量不含有威脅
Inline bypass 為 多層資安架構環境
提供可視性
全網完整覆蓋: 實體網與虛擬網
不抽樣的統計數據 生成,改善資訊
的鑑職準確度
Security Delivery Platform: 創造高效益資安系統的基礎平台
11 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
GigaSECURE® 的優勢
ü 全面性的訊務視別能力 ü 精密篩選訊務供不同資安設備
ü 大幅提昇資安設備效能
Legacy Approach Without Gigamon
Enterprise LAN
Security Tool Security Tool Security Tool Security Tool
Irrelevant Traffic
Relevant Traffic
With Gigamon Security Delivery Platform Security Tool Security Tool Security Tool Security Tool
Enterprise LAN
Relevant Traffic
• 只見局部網路點之訊務 • 無法控制要取得哪種訊務
• 資訊設備的效能無法善用
12 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
GigaSECURE發表後得到產業分析報告的認同
“This makes a ton of sense… It’s a powerful message.” - Jon Oltsik
“I agree with you 100%... You can no longer keep the bad guys out. Security is more than just protecting the perimeter. You need to look inside.” - Lawrence Pingree
“Even the best security appliance isn’t going to do any good if it isn’t getting the right traffic.” - Frank Dickson
“This is ahead of the curve; it’s timely” - Zeus Kerravala
“This is pretty cool! There’s a desperate need for this type of solution.” - Andre Kindness
13 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
至今已超過 35 家資安合作伙伴支持
14 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
Third Party Applications, SDN Controller Integration, etc…
Applications & Tools Infrastructure, User Community
Gigamon全範圍可視化方案 - Visibility Fabric™
Traffic Intelligence
Visibility Fabric Nodes
(Pervasive visibility across physical, virtual, remote sites, and future SDN production networks)
Fabric Services Flow Mapping®
Fabric Control (Management)
Applications
Inline Bypass
GigaVUE-HD8 GigaVUE-HD4 GigaVUE-HB1
GigaVUE-HC2 H S
erie
s
TA S
erie
s
Virt
ual V
isib
ility
GigaVUE-VM
TAPs
G-TAP Series ü Optical Passive ü BiDi ü High-Density ü Active
Embedded TAPs
G S
erie
s GigaVUE-2404
GigaVUE-420
G-SECURE-0216
FlowVUE™
Packet Slicing
De-duplication
Masking
GTP Correlation
Header Stripping
NetFlow Generation
Application Session Filtering
SSL Decryption
Adaptive Packet Filtering
GigaVUE-FM
Clustering
API
GigaVUE-TA40
GigaVUE-OS on white box
GigaVUE-TA1
API
15 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
校園常應用方案範例�
16 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
應用一 : In-Line Bypass 增進資安運作效能與彈性 解決了資安與網路組的棘手問題
SiSi SiSi
Firewall1
Switch x 2
Switch x 2
Switch x 2
IPS1
WAF1
Firewall2
IPS2
WAF2
提昇資安設備檢測能力與網路速度匹配
任何資安設備的變動, 如新加/移除設備, 版本升級, 並不影響網路運作
提昇整體資安效能與網路架構的靈活性
整合串接 Inline, 旁接 Out-of-Band, Flow-based 設備於 GigaSECURE® 平台一體架構
簡化資安連結架構
SiSi SiSi
heartbeats
heartbeats heartbeats
heartbeats
10G 10G
WAF IPS Firewall1 Firewall2
Inline Bypass
17 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
• 把流量均衡分配到幾台設備上,擴大資安管理的規模 • 同時,加入頻外(out-of-band)分析工具,擴大資安管理的能力
應用一 : In-Line Bypass 增進資安運作效能與彈性 一對一、一對多
Port A1 Port B1
Inline Bypass
18 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
• 合併多條線路的流量 (最多可以36條線路),轉發去同一台 inline 資安分析設備上 • VLAN標籤用來區分回路 (回到真正線路前會自動去掉)
應用一 : In-Line Bypass 增進資安運作效能與彈性 多對一、多對多
Port A1 Port B1 Port A2 Port B2
VLAN 101 VLAN 101 VLAN 102 VLAN 102
Inline Bypass
19 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
應用一 : In-Line Bypass 增進資安運作效能與彈性 Application-Aware Bypass, Serial Inline Tools
A1 B1 A2 B2 A3 B3
Application Aware Bypass Serial Inline Tools
• 依不同應用程式種類需要去篩選訊務流量至不同資安設備
• Inline訊務流量可以啟用Flow Mapping功能 • 對不同資安設備可建立專屬L2-L4篩選政策 • 對不需監的訊務流量直接Bypass • 可提昇網路與應用程式效能
• 可同時送串聯訊務流量到多個資安設備介面 • 可以Bypass 有問題的資安設備而不會導致
網路中斷 • 串聯設備一台斷線導致全部流量中斷
• 可任意增加/移除或昇級資安設備而不影響網路運作
A1 B1 A2 B2 A3 B3
Inline Bypass
20 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
應用二 : NetFlow / IPFIX Generation 資安訊息派送平台產生不同需要的NETFLOW METADATA內容
NetFlow / IPFIX Generation
• 1:1式NetFlow/IPFIX的輸出, 可增進 “慢速攻擊” 的偵測 • 可依不同資安設備設定不同篩選條件的NetFlow記錄 • 可以Offload資料傳輸交換器產生NetFlow/IPFIX的負擔
• 經由全流量Flow的視別可達成全域性 (End-to-End) 的資安防禦 • 對於利用資料傳遞通訊流程的攻擊方式特別有效地偵測 • 與市面領先之SIEM廠家或NetFlow統計鑑識設備商均有結合運作範例
Advanced Information Elements
• 可以選用輸出URL訊息至所產生的客製化格式中 • 至多可以同時輸出6個不同NetFlow v5/v9 and IPFIX的接收/分析設備 • 可結合LLDP/CDP 定位資料傳輸來源介面
Flow Metadata
SIEM and NetFlow Forensics Integration
21 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
應用二 : NetFlow / IPFIX Generation SPEEDING UP TRIANGULATION ➡ FASTER ANALYTICS
DNS query and response information
DHCP query and response information
URL access Information
HTTP request, response information
SSL certificate information
Kerberos and user login information
Server, application connectivity information
User flow records and session information
Intrusion Detection System
Data Loss Prevention
Email Threat Detection
IPS (Inline)
Anti-Malware (Inline)
Forensics
GigaVUE-VM and GIgaVUE® Nodes
Application Session Filtering
SSL Decryption
Inline Bypass
Context and Intent-based Big Data Analytics
NetFlow / IPFIX Generation
Metadata Engine
NetFlow / IPFIX Generation
22 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
應用二 : NetFlow / IPFIX Generation SOME EXAMPLES
6 5 4 3 2
Phishing & zero day attack Back door Lateral
movement Data
gathering Exfiltrate
1 Reconnaissance
Patient zero analysis with HTTP, HTTPS and DNS analysis
C&C analysis with URL, HTTP, SSL certificate and DNS analysis
Anomaly based detection through flow, login, and session analysis
URL, volumetric, HTTP / HTTPS, SSL certificate, DNS analysis
NetFlow / IPFIX Generation
23 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
OS
DB
DB Server
Leaf
Core Core
Leaf Leaf
Spine
Leaf
Spine
應用三 : 虛擬主機與VDI - GigaVUE-VM LIGHTWEIGHT VM,非侵入式的NFV架構流量收集
應用管理 APM
網路管理 NPM
資安檢測
工具集中 部署
GigaVUE-VM • Flow Mapping™
• 按VM、tcp/udp 埠進行過濾 • 封包裁切 • 多通道方式送封包去中心設備
進階流量處理 • 去除重複封包 • 敏感資料遮罩 • Source Port標籤 • 表頭移除
• 時間戳記 • 應用特徵過濾 • NetFlow Generation • SSL封包解密
Network Tunnel Port
Tunneling
DB
GigaVUE-VM and GIgaVUE® Nodes
所有分析工具與系統收到同一個源頭分發的數據,方便以後關聯分析,也提高了關聯分析準確性
24 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
應用三 : 虛擬主機與VDI - GigaVUE-VM
GigaVUE-FM
Traffic
Policies
APM
NPM
Security
CEM
Tunneling
VDS, VSS, N1k
VMware ESXi VMware ESXi
VDS, VSS, N1k
• Host-based approach ⎻ GigaVUE-VM on
every ESXi host • Traffic of interest extracted
from virtual switch ⎻ VDS, VSS, Nexus 1k
• Integration with vCenter • Approach is “admin friendly”
GigaVUE-VM
GigaVUE-VM and GIgaVUE® Nodes
25 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
H系列叢集功能Clustering 跨機型配置
• Control Plane 與 Data Plane 分隔
• 可選40Gb埠作為 Stacking埠
• Control plane 與 control card的數據流量隔離
• Master, Standby, 及 normal nodes
25
Master
Standby
H系列叢集
26 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
Email Threat Detection
Forensics
GigaSECURE : 管理平台與自動化 經由 GIGAVUE-FM API介面與資安設備做可程式化互動
Virtual Workloads
GigaVUE-FM
Production Network Security Functions
Virtual Traffic Policies
“REST” APIs
Internet Intrusion Detection System
Data Loss Prevention
Management & Orchestration
27 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
• Function: combines stateful firewall with DPI and IPS • GigaSECURE Value-add
– Visibility to the network i.e. branches – NetFlow Generation with URL and DNS info – Traffic manipulation and grooming – Load balancing – SSL decryption – Fault tolerance
• Leading Vendors: Fortinet, Palo Alto • Opportunities: SSL decrypt offload, network firewall
replacement, product bake offs, NGFW for insider threat detection
Gigamon + NGFW FAULT TOLERANCE AND CPU OFFLOAD
28 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
The Blue Coat Solution VISIBILITY AND CONTROL OF SSL ENCRYPTED TRAFFIC AT SCALE
29 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
臺北某科技大學 計算機與網路中心 Gigamon 教育單位實用範例分享
30 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
• GigaVUE-HC2 – 具備可供4個HC2模組擴充 – 可擴充GigaSMART模組
• In-Line連接設備 – 次世代防火牆設備 – 流量控制設備
• Out-of-band連接設備 – SIEM設備 – 流量分析設備 – POC設備
架構介紹 – 使用之設備
31 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
• 採用BPS-HC0-D25A4G模組 – 可控制實體Bypass SR/SX 固定式Port 4組 – 可控制邏輯Bypass Port 可接SR/SX及LR/LX 16個
架構介紹 – 使用之模組
32 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
• 本校因承辦技專校院招生委員會聯合會相關業務。因應教育部政策,資安等級提升為A級。
• 評估峰值流量為6Gbps至8Gbps。 • 現有APT、WAF不是無對應流量之型號或是無法負荷之預算金額。 • POC測試設備時無法克服
– 核心交換器因Mirror Port過多無法負荷。 – 某些測試設備必須Inline,上線時調整線路造成斷線。 – 測試設備異常無法即時拔除。
本校問題點
33 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
本校 In-Line 連接架構示意
Stack WAN Switch1 WAN Switch2
VSS
Core (Local) Core (Remote) NG Firewall
QoS Device
34 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
本校 Out-of-band 連接示意
SIEM
• 可透過設定將多路聚合 (多對1)
Flow Analysis
POC Device
POC Device
35 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
• 設備採購成本降低 – 緩衝資安設備HA一次到位預算壓力 – 使用Map Filter 依照條件決定流量路徑。8Gb流量也能用4Gb設備,如:
• IP Dst 非Server Farm 不通過WAF設備 • 非SSL封包不通過SSL解密設備 • 非關鍵業務網段不通過APT設備
• 高度彈性 – 可控制介面,依需求彈性切換使用模式不浪費 – 依政策需求可調整個別設備故障政策(Fail Open、Fail Close) – 設備測試、維護及升級不斷線,提升業務持續運作成效
建置後現階段效益
36 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
Gigamon 校園特惠方案�
37 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
WAF
IPS
Firewall1
Firewall2
heartbeats
heartbeats
Router1 Router1
SiSi
Core Switch
Core Switch
10G 10G
Tunneling SiSi
最具效益的校園資安訊息派送平台架構�具備下列效益功能 • IN-LINE BYPASS
• LOGICAL BYPASS
• FLOW MAPPING
• VIRTUALIZATION VISIBILITY
• LOAD BALANCE FOR TOOLS�
38 Confidential and Proprietary. For Internal Use Only. © 2015 Gigamon. All rights reserved.
教育單位特惠分期方案�立即提昇效益, 輕鬆分期�
�SKU ProductDescription QTY 含稅優惠價 月租費
GFM-FM001 GigaVUE-FM,manage1PhysicalVisibilityFabricNode 1
SFP-532 10GigSFP+,Multimode850nmSR 8
GVS-HC201 GigaVUE-HC2baseunitw/chassis,ControlCard,1FanTray,CLI,2powersupplies,ACpower 1
BPS-HC0-D25A4G
BypassComboModule,HCSeries,4SX/SR50/125BPSpairs,1610Gcages 1
GFM-VM010 GigaVUE-VM10PackBundleSWLicenseExtension 1
GSS-FYS-STDFirstyearGigamonStandardSupportLevel(8X5),boughtwithproductorwithin1yearoforiginalpurchaseofproductafterJuly1,2015
3年
2,880,000 8萬元
Thank You!
39
