AhnLab TrusGuard Standard Proposal Eng

AhnLab
마스터TrusGuard
제목 스타일 Standard
편집 Proposal
“The Best of Network Security solutions, AhnLab TrusGuard”
마스터 부제목 스타일 편집

July, 2010
Table of Contents
Recent Trend in Security Threats

Network Security Trend
마스터
Product 제목 스타일 편집
Overview
Special Advantages of AhnLab TrusGuard
Customer Benefits
Implementation Case

Detailed Functions
Specifications
Main UI View
Appendix.
Recent Trend in Security Threats
마스터 제목 스타일 편집

Recent Trend in Security Threats: Overview
The latest trend in anti-virus protection can be described as “Diversification, Complexity,

Systemization.”
Organized Crime
• Malware (Virus, Worm, Trojan, Bot) is still a big threat.

Professional,
The Bot
Injection,XS • Complexity of SPAM + Trojan + Phishing + Pharming
S • Spread of DDoS & attack on web applications
마스터 제목 스타일 편집 • Limitation in patch management
• Change of target from unspecified general public to a
specified target
• Emergence of profit-motivated cyber crimes
The Virus
Attacker

Script Kid
The Hack
Pure curiosity Attack Profit gain

motivation
Recent Trend in Malware
Following 2008, Trojan horses that steal internal and account information are still prevailing and
the infection by worms, usually spreading malicious attacks on internal networks and the
emergence of new worms are increasingly reported.
• Trojan horses for stealing internal & account information still take up a large part in threats to enterprises
(39%)
• Reports on infection by “spreading worms”, which severely hinder the availability of internal network and
systems and their new variants is increasing
- Infection by worms through USB mobile storage devices is still happening
- Together with the popularization of the wireless LAN, infection by worms through unauthorized PCs connecting to the internal
network is increasing
[Infection by Malware Types, 2009] [Infection by New Malware Types, 2009]

Script 2%
Worm 5%
Dropper
5%
Others
15% 마스터 부제목 스타일 편집
Trojans
트로이잔
Trojan
바이러스
Virus
Downloader
7%
트로이잔
Trojan
39% 애드웨어
Adware
애드웨어
Adware
Script 다운로더
Downloader
7% 웜Worm
웜
Worm
Worm Script
10% Adware Script
Dropper 27% Trojans
Adware Virus 기타
Others
55%
12% 12% 기타
Others
Source: AhnLab ASEC Report (Dec., 2009) Source : AhnLab ASEC Report (Dec., 2009)
Trend during a DDoS Attack (1)
The major threat in recent network-based attack trend is DDoS.
[Incoming threat types to network in Korea, as of Nov., 2009]

ISPs: Threat trend
UDP Flooding ○ The analysis of incoming threat types to ISP network revealed…
- UDP Flooding, a variety of DDoS attack, was the major threat.
TCP SYN
- The most common DDoS attack, TCP SYN Flooding, is occurring
consistently.
Flooding
Source : KISA monthly bulletin of Internet incident trend & analysis

(July)
[Monthly trend of infection by malicious Bots, in Korea

Percentage of infected PCs in Korea among
○ Bot is a malicious code that produces large numbers of zombie
PCs used for DDoS attacks.
worldwide PCs infected by Bot ○ When the number of Bot-infected PCs increases, the threat by a
DDoS attack also increases.
○ The infection rate by Bot in Korea has decreased greatly from

2008.
(Average 10% in 2008  Average 1% in 2009)
Source : KISA monthly bulletin of Internet incident trend & analysis

(Nov., 2009)
DDoS Attack Trends (2)
DDoS attacks have shifted from attacks that drain bandwidth to attacks that drain system
resources and target application weaknesses.
1st stage DDoS 2nd stage DDoS 3rd stage DDoS
마스터 제목 스타일
Early to mid 2000s 편집
2006 ~ 2007 2008 ~
Network resource TCP/Application Complex / Intelligent

Draining attacks weakness attacks attacks
• Flooding attacks • TCP 3-hands-shaking attacks • Flooding attacks + Weakness

- ICMP Flood attack targeting weaknesses attacks

- UDP Flood attack - SYN Flooding attack
- ACK Flooding attack . HTTP Get Flooding
• Amplification attacks - SYN+ACK Flooding attack . ICMP Flooding
- Smurf attack . TCP SYN Flooding
- Fraggle attack . UDP Flooding
Network draining attacks

Complicated & Intelligent Attack
Traffic inducing attacks All citizens, organizing, and political
Simple attacks purposes, financial gain
Automatically
7
DDoS Attack Trends (3)
DDoS attacks are targeting every type of business regardless of size.

Any company that uses the internet to provide services is vulnerable to DDoS attacks.
[Recent Attacks]
Various companies in the financial industry, public sector,
small online service companies, etc, are exposed to the
threat of DDoS attacks.
마스터 제목 스타일 편집○○ 2009.7 : 7.7 DDoS Crisis

2008.8 : Game rating board‟s homepage shut down for 9 hours
○ 2008. 6 : Grand National Party‟s homepage shut down due to
DDoS attack
Rapid ○ 2008. 3 : Mirae Asset‟s homepage shut down for 1 hour,
increase in money demanded
DDoS attacks ○ 2007.9~10 : Game item trading site was attacked and money
DDoS attacks
demanded
○ 2007. 6~8 : Money demanded from travel and pension
reservation sites, etc.
○ 2007.5 : Estonian government and parliament sites paralyzed

Increase in money-stealing
DDoS attacks
for 3 weeks
○ 2007.1 : DDoS attack on domain registration proxy company
DDoS attacks from viruses [Attack Method]

IRC Bot DDoS attacks
Early Mirae Asset
Amazon, eBay, ○ Omnidirectional attacks using various protocols such as
DDoS
Yahoo DDoS TCP/ UDP/ ICMP/ HTTP
attacks
attacks ○ Flooding attacks using malicious IRC Bots are the
2008 2010 mainstream
2000 2006
○ Attacks send from 500M ~ 1G (small attack) to 40~50G
(large attack) of traffic to shut down systems or paralyze
service
8
Threats that exploit vulnerabilities in web applications
The most prevalent threat types in web application attacks are XSS (Cross-site Scripting) and
SQL injection. They exploit vulnerabilities to leak private information, steal account privileges
and alter/destroy data.
[Major threat types exploiting web

vulnerabilities, 2008]
SQL Injection 편집 ○ SQL injection, XSS (Cross-site Scripting) and
buffer error ranked 1, 2 and 3 in major web
SQL Injection vulnerability threat types in 2008.
XSS
18.3% XSS
Buffer error Others ○ The SQL injection attack increased rapidly due
접근제어
to the wide distribution of an automatic mass-
Access control
13.7% SQL injection tool like „Jeopard in a hole.‟
입력검증오류
Input authentication error
자원관리오류
Asset management error
디렉토리 search
Directory 검색
마스터 부제목 스타일 편집 9.8% ○ SQL injection attack type is changing…
- from stealing data inside the DB
정보유출 leakage
- to infecting/spreading the malicious code on
Information
connected users by deploying the malicious
기타
Others Buffer error code inside the DB.
Source : KISA monthly bulletin of Internet incident trend &

analysis (Dec., 2008)
Diversified Attack Routes (1)
As various IT devices and applications emerge rapidly due to advancement of Internet business,
the client‟s system is becoming overexposed to numerous attack routes.
Vulnerabilities in OS and
Internet surfing commercial programs
Mobile storage
devices
Instant messaging
programs
마스터 부제목 스타일 편집 Client‟s system P2P programs
E-mail
Wireless
File download
Diversified Attack Routes (2)
Indeed, downloading of spreading worms and zombie malware during web surfing is rapidly
increasing.
 Among the attack routes of viruses and worms in Korean companies with 5 or more employees, “infection
through downloading from Internet” ranked highest with a rate of 85.0%.
 By industry, manufacturing (89.1%), wholesale (87.7%) and construction (87.6%) showed relatively higher rate of
“infection through downloading from Internet” and even in banking and insurance, the rate was 80.8%.
Download from Internet 85.0%
By visiting certain websites 54.5%
마스터 부제목 스타일50.8%

E-mail 편집
Shared folder, internal networks 42.4%
Storage devices (CD, USB, etc.) 34.1%
By external hacking 17.5%
Others 2.4%
Source : Survey on information security in enterprises, 2008
Network Security Trend

Performance & Scalability, All at Once!!
Technology in network security appliance is progressing toward the multi-core based, high-
performance platform.
Single-core Network Multi-core

based hardware
편집
Processor based hardware
/ ASIC

• Pentium or Xeon base • Specialized chipset base • Multi-core process base
• Low-end H/W platform • Exclusive packet-handling • High-end H/W platform
processor
• Limited performance • Linear performance
• High-performance packet enhancement when an
handling & delivery additional core is added.
• Difficult to add functions • Easy to add functions &
- Customization not allowed. excellent at combating fast-
- Difficulty in time-to-market changing security threats.
From Single-Purpose to Integrated Multi-Purpose…
With rapid advance in H/W technology and a tendency toward Green IT, “integration of practical
security functions” is the new direction in network security appliance.
Practical
integration
Combined
functions
• Green IT in Security
- Integration of Firewall & IPS
• Integrated Security
Single- - Combination of functions • Overcoming performance
purpose limitations
• Firewall+VPN+IPS+AV+AS

- Advance of multi-core H/W
- 16 Cores  32 Cores or more
• Firewall only, VPN only • High-end H/W - Continuous expansion of
approach - Overcoming performance performance
limitation of multi-functions
• Low-end H/W environment • Elaborate functions enabled.
• Lack of elaborate functions
- Limited performance
~ Mid. 2000s Mid. 2000s ~ 2010 ~

Current
Product Overview

Product Overview
AhnLab TrusGuard is an “Integrated Network Security System” that combines “Firewall/VPN-

based, high-performance network security” with strong “Security Threat Response Technology.”
Firewall/ Networking VPN DDoS defense

- Equipped with an exclusive engine
Network - Stateful inspection filtering - SSL VPN function
for DDoS defense
- Route/Transparent mode - IPSec VPN function - 6-phase response
security - Dynamic routing/ QoS function (G-to-G, G-to-C VPN) -Protection against attacks of various
functions
- IPv6 support (as of 5.2010.) types
(Flooding, Draining of application)
Integrated management
- Log analysis & real-time display
Internet - Correlation analysis of threat data
-50 types of security analysis reports

- Integrated policy management of
many appliances
I(D)PS
- Signature-based detection & prevention Anti-Virus Anti-Spam/ Web Filtering
Contents of attacks - Black list-based spam
- Behavior-based detection & prevention of -Prevention of intrusion by virus,
security filtering
attacks worm, spyware, phishing, etc.
functions - More than 6 thousand rules for detecting -Supports HTTP/SMTP/POP3/FTP
- Spam engine-based filtering
- Keyword-based filtering
attacks -Equipped with V3 engine.
- Spam quarantine & storing
- 3-phase mechanism for preventing -365*24 ASEC service/ CDN
- Access filtering of harmful
attacks sites
- NAC function (synched with end-point V3)
Special Advantages of
마스터 TrusGuard
AhnLab 제목 스타일 편집

TrusGuard Features: Overview
AhnLab TrusGuard distinguishes itself by creating synergies that combine an organic

combination of “high-performance, high-quality network security technology” with “proactive,
comprehensive integrated security technology.”
High Performance & Flexibility

• High-quality firewall technology
• High-performance platform & optimized design for multi-core
마스터 제목 스타일 편집 • Flexible VPN with enhanced security
Network • Flexible network security (IPv4 & IPv6)
Security
Simple & Graphical
• Intuitive & graphical information display

Proactive & Comprehensive
• Embedded, real-time monitoring information • No.1 security response technology

• External log server/ manager Manage • Largest security response infra.
• Competitive IPS function
• Security response to „zero-day &
emergent‟ attacks
Integrated • Prevents zombie malicious codes by
Security linking with ACCESS.
• Specialized DDoS engine (overseas
patent-pending)
• V3-synched NAC function
• Powerful anti-virus/ anti-spam
* ACCESS (AhnLab Cloud Computing E-Security System)

- A centralized, real-time threat monitoring & analysis system based on cloud-computing technology
TrusGuard Features – High-Quality Firewall
TrusGuard is based on elaborate and reliable high-quality firewall technology.

The design of TrusGuard is based on “Suhoshin Absolute”, the best firewall solution in Korea.
“Suhoshin Absolute” was the first commercial firewall in Korea and it has proven its technical reliability
and performance in the market by acquiring more than 3,000 client references during the last 10 years.
Stateful • Provides independent performance regardless of number of rules.
마스터 제목 스타일 편집 Inspection • Based on black list/ white list.
• Fail-over function (Active-Active, Active-Standby)

High Availability • Can back-up without a separate L4 switch (Session/ Rule synch)
• Full-mesh structure
• Uses 2 or more physical ports as a single logical port.
• Can process the traffic equal to Bandwidth * No. of port(s).
Port Aggregation • Handles the large traffic easily and provides fail-over function
among ports.
• Can set/limit maximum traffic volume when setting security

Server farm
policy.
Quality of Service • QoS setting can be established by policies/IPs/ports.
• Supports policy-based & schedule-based QoS.
HA setting • Static (1:1)/ Dynamic NAT (1:N, M:N), Twice NAT
NAT
Active-Active • Excluded NAT, NAT Traversal, Load-Sharing NAT
Active-Standby
• Static/Dynamic routing (RIP, RIPv2, OSPF)
Routing
• Supports multicasting / source routing.
VoIP support • Supports SIP, H.323 communication.

Internet
Authentication • Internal OTP, External RADIUS synch
• Supports 802.1Q VLAN.

Others
• Supports DHCP server & DHCP relay.
TrusGuard Features – High-Performance
TrusGuard is based on high-performance hardware platform and the S/W architecture design
optimized for the specific platform.
To achieve high-performance when running multiple functions, every model of TrusGuard (except the
SOHO model) is configured with a multi-core platform and optimized architecture design.
Core 1 Firewall ○ Multi-core platform in all models (TrusGuard 50

마스터 제목 스타일 편집 excluded.)
VPN ○ Optimal distribution technology of packets to

multi-core applied.
Core 2
AhnLab ○ When running a single function, the multi-core
IPS/
utilization provides the “maximum performance.”
TrusGuard DDoS
○ When running multiple functions, the multi-
Core 3 core utilization provides the “optimal
Anti-
Virus performance.”
마스터
Core 4 부제목 스타일 편집 Anti-
Spam
※ Throughput Test Result

Simultaneous running of
Firewall
Classification firewall & IPS Test condition
only
(Signature 6,000 on)
Throughput (1024 byte) 6G 2G • Performance value of TrusGuard 1000 model with 6 ports
* Performance test condition
- Used IXIA test equipment. - Used GET Request 10K, 1G * 6ports.
* The above performance can vary depending on the client‟s individual network environment.
TrusGuard Features – IPSec VPN
With TrusGuard, you can establish VPN network with enhanced security response capability in
HQ-branch and PC-office.
Using IPSec VPN as the default function, TrusGuard provides a secure way of communicating through the
public network. Also, when the firewall/IPS function is synched for traffic inside the VPN tunnel, it can
prevent the internal spread of malicious codes.
High-performance VPN communication through hardware acceleration
HQ
• Supports tunnel mode, ESP, AH, ESP+AH.
Support 편집
for
• Can be synched with IPSec standard products.
• Supports encryption algorithm like 3DES, AES, SEED, ARIA.
IPSec standard • IKEv1, IKEv2, manual support
• Supports hub & spoke, star, mesh structure.
NAT Traversal • Supports IPSec in NAT environment that uses private IP.
Dual Line • Supports VPN Line Take Over via ADSL (2 lines or more)
Connects SSL VPN
• Provides high-performance VPN through the equipped

VPN Accelerator
hardware accelerator. (TrusGuard 1000 model)
IPSec VPN Tunnel
DPD • Real-time automatic transfer by detecting host status
Firewall/ • Firewall/IPS policy can be synched for VPN packets.

IPS synch - Prevents spread of malware through VPN tunnel.
• Can bypass IPSec packets for other appliances.
Bypass of other
Remote - Provides flexible response for enterprises that use various
IPSec packets security appliances.
connection
• Supports the synch with L4 for expanded throughput.
Scalability
• Supports bridge over IPSec.
• Supports split tunnel function.
Branch Other functions • Prevents replay attack.
• Standard PKI synchronization (X.509)
TrusGuard Features – SSL VPN
TrusGuard provides a flexible VPN network with enhanced security that meets the client‟s
environment.
TrusGuard effectively prevents the spread of worm/Bot infected from the branch to the HQ system through
powerful IPS-synch function.
TrusGuard allows the flexible setup of VPN network as both IPSec VPN and SSL VPN are supported in the
same appliance.
- When connecting SSL VPN, AhnLab Online Security (PC firewall/ Anti-Key logger Program) is automatically
installed, then, the security status of the connected PC is checked to strengthen the internal security of the
enterprise.
AhnLab Online
Security
Backbone Network installation
DMZ SSL VPN Tunnel
Server farm

Internet
Malicious
traffic in IPSec VPN Tunnel
University department network VPN Tunnel
TrusGuard
Department A Department B Department C
Branch Z
TrusGuard Features – IPv6 (to be provided in May, 2010)
TrusGuard supports IPv4 & IPv6 dual-stack security setting in real network environment.
TrusGuard provides full security for various network environments where IPv6 is applied.
IPv6 web
server
마스터 제목 스타일 편집 IPv4 & IPv6

IPv6 network IPv6 routing
dual-stack support (Ripv6, OSPFv6)
Server farm
Transition technology
TrusGuard
DHCPv6, RA
(tunneling, translation)
HQ IPv6
NAT & Logging
Stateful Inspection
Tunneling

over IPv4
Internet IPv4
Internet
Fully supports Fully supports

IPv6 both IPv6 & IPv4 many IPv6-related
TrusGuard
network combined IPv6 packet routing/transitions.
network. filtering
algorithm
TrusGuard Features – Integrated Security Infrastructure
TrusGuard can “create/maintain/deliver” the differentiated security response contents.

The core competence of TrusGuard lies in the security infrastructure like ASEC/CERT/ACCESS that
provides an effective respond to increasingly diverse and malignant security threats.
Zero-Day Attack Prevention Outbreak Prevention Up-to-date & Accurate
• Early prevention of malicious • 2~3 signature updates per day
• Prevents vulnerability estimation.
codes/attacks - Maintains up-to-date signatures.
- Pre-distribution of signature for
- Distributes signature for preventing • Collaboration with internal CERT
predicted ‘vulnerability attack.’
early spreading. (Managed Security Center)
• Microsoft MAPP Partnership • 24*7*365 support

- Can detect & respond to the real-
- A program for pre-sharing security patch - When emergency arises, rapid response time attack occurring in the client’s sites.
info. is provided.
* ASEC : AhnLab Security E-response Center * CERT : Computer Emergency Response Center
Collaboration
• Malware collection & analysis of trend • No. 1 managed security provider in Korea
• Analysis of NW attack trend • Provides managed security service to major
ASEC • Proactive Prevention Acquire & respond to the real-time
CERT clients.
• Writing/Distribution of signature attack/threat information. • Real-time response to NW attack
“A centralized, real-time threat monitoring & analysis

ACCESS (AhnLab Cloud Computing E-Security System) system based on cloud-Computing technology”
TrusGuard Features – Integrated Security Infrastructure
TrusGuard can “create/maintain/deliver” the differentiated security response contents.

TrusGuard, using its 3-phase defense system for various security threats, can provide powerful protection
against zero-day attacks and emergent attacks to your system.
[3-Phase Defense Mechanism]
Vulnerability reported. Attack emerged. Sample collected. IPS Signature distributed.

마스터 제목 스타일 Outbreak
편집 AST & CDN service
Zero-day Prevention
Prevention
Phase 1 : Pattern estimation and Phase 2 : Distribution of the Phase 3 : Distribution of the
distribution of the prevention policy early-prevention policy prevention policy for network worm

[Zero-day Attack Prevention Examples]
Example #2. Microsoft Access Active X remote exploit
Example #1. Attack on IE memory corrupt vulnerability
2009/02/10 : Vulnerability reported. 2008/07/18 : First discovery of the vulnerability (Chinese
2009/02/10 : TrusGuard signature for estimated attack was community website)
distributed. 2008/10/23 : TrusGuard signature for estimated attack was
2009/02/11 : Microsoft announced the security patch. 2009/02/18 : distributed.
Public disclosure of the executable attack code. 2008/10/28 : A website that spreads the malicious code
Example #3. Attack on server service vulnerability (RPC exploiting the vulnerability was sighted.
vulnerability attack)
2008/10/23 : MMPC reported the emergence of a worm.
2008/10/23 : MS announced the emergency security
patch.
2008/10/23 : TrusGuard signature was distributed.
TrusGuard Features - IPS
TrusGuard is very powerful combating various vulnerability attacks and malicious codes.
TrusGuard possesses more than 6,000 security response rules, the largest of any worldwide IPS and,
through ASEC, provides 24*365 monitoring/analysis service, daily 2~3 update service and emergency
response service.
• World‟s largest security response signature (6,000)
마스터 제목 스타일 편집• 2~3 signature updates per day

- Up-to-date & accurate signatures
- Reliable update environment through CDN
TrusGuard
IPS function • Prevention of various network-base attacks/malwares
- Please refer to the IPS response list below.
• MSPP partnership with Microsoft

• Real-time monitoring/analysis system for various
security threats
TrusGuard IPS – rules that are internally

monitored/written.
▶ Prevention of vulnerability ▶ Prevention of network- ▶ Prevention of malware ▶ Blocking of malware

attacks ◀ based attacks ◀ attacks ◀ source ◀
• Application vulnerability • Scanning attack • Worm • Web monitoring system

- OS/ IE/ ARP Spoofing, etc.
• NetBios/ RPC attack • Bot/ BotNet • Use of SiteGuard DB
- Shell Code
• DoS attack/ Backdoor • Trojan • Operation of active honey
• Web vulnerability (OWASP • Spyware/ Downloader
vulnerability • P2P/ Instant messaging pot
• Protocol anomaly • Mass mailer
- SQL injection, XSS vulnerability, etc.
• Others • Dropper
- CGI/ IIS/ MISC vulnerability, etc.
Managed security service

Analysis of VRS BotNet management WebMon DDoS monitoring
Intrusion log analysis system
vulnerability system system system
TrusGuard Features – Prevention of Web/Application Vulnerability
Attacks
TrusGuard provides superb protection against ever-increasing attacks that exploit web &
application vulnerabilities.
TrusGuard is equipped with signatures that effectively protect 10 vulnerability attacks on web application
selected by OWASP and these signatures are updated 2~3 times per day through ASEC.
TrusGuard provides the phased defense mechanism against popular web attacks like SQL Injection,
XSS(Cross Sites Scripts), etc.
[Phased response mechanism against web
[Example of phased prevention of web vulnerability
vulnerability attack]
attack] Prevention 1 : Prevent vulnerability
Attacker attack on web server.
• Prevents attacks that exploit vulnerabilities in web server
Infect like SQL/ PHP Injection, XSS, CSRF, etc.
Passing point
Redirection Prevention 2 : Block access to the sever
Vulnerability #1
in malware passing point.
Internet Vulnerability #2
• Blocks access to the malware passing point server by

Prevent 3
Prevent 2 Vulnerability #3 internal clients PCs.
Spreading •••
point server Prevention 3 : Block access to the
Prevent 1 Vulnerability #n server in malware spreading point.
TrusGuard
• Prevents access to the server in malware spreading
points by internal client PCs.
Prevent 4
Attack target Prevention 4 : Block downloading of the
Web server
vulnerability attack code.
• If connected to the server in spreading points, TrusGuard
blocks the downloading of the vulnerable attack code to the
internal client PCs.
* ASEC (AhnLab Security E-response Center) : A specialized unit in AhnLab that provides monitoring/analysis of malwares/attacks, response service and signature writing.
TrusGuard Features – Detection/Block of Zombie Malware
TrusGuard detects zombie malware and prevents infection and spread of zombie malwares.
TrusGuard not only prevents DDoS using Bot but prevents the infection of internal PCs by Bot as well.
Also, even if internal PCs are infected by Bot, TrusGuard protects client‟s network by performing various
operations to prevent the running of Bot.
Block malware
spreading point.
Block spreading of Bot.
Prevent malware attack.
마스터 부제목
Block external 스타일 편집
Block internal infection
by Bot. spreading of Bot.
Prevent vulnerability attack. BotNet

Prevent internal Prevent external Block C&C
infection by Bot. spreading of Bot. communication.
TrusGuard Features – ACCESS-synched Removal of Zombie Malware
TrusGuard provides the real-time detection/prevention of active zombie malware (Bot) through
synch with ACCESS system based on cloud-computing technology.
The ACCESS-based DDoS monitoring system is AhnLab’s unique monitoring and analysis system for
zombie malwares. With information gathered from 10 million sensors for detecting zombie malwares, it
provides real-time analysis & response service.
① Detects abnormal network behavior of a certain file.

③ Real-time analysis
 Program info.
 Reputation system
② Monitoring of  File activity trend
the same behavior  Behavior-based aactivity
Relations among files


 Malware distribution route
Threat Info-Gathering System

④ Apply the analysis
result in real time. TrusGuard
Block zombie
malwares.
Enterprise
Prevents spreading of zombie PCs.
TrusGuard Features – ACCESS-synched Prevention of Zombie Malware
TrusGuard provides real-time detection/prevention of active zombie malware (Bot) through

synching with our ACCESS system based on cloud-computing technology.
Sensor
DDoS monitoring system

ACCESS
Bot malware activity info.
Sensor
마스터 제목 스타일 편집 (DDoS
ASEC
Monitoring Bot malware file
Sensor System)
• Prevention of zombie malware

- Provides block signature for accessing the server in spreading point.
- Provides block signature for accessing C&C server.
- Provides block signature for infection/downloading of zombie malware.
- Provides block signature for synched update among malwares.
Applied to TrusGuard
TrusGuard Features - NAC
TrusGuard provides NAC function through synching with end-point security solutions.
TrusGuard is synchronized with V3, an anti-virus product by the same company to…
① prevent access by PCs without APC Agent that performs „V3 installation & up-to-date V3 update.‟
② quarantine infected PCs from internal network and to perform automatic repair. (when using IPS
license)
Though this, TrusGuard prevents the infected PCs from spreading to internal networks and above all, it
strongly blocks the activity of zombie malware through synch with DDoS monitoring system.
Headquarter
Core Network DMZ
TrusGuard 1000
Server Farm
Internet
VPN Tunnel

① Network access control & redirection
② PC quarantine & automatic
repair
② PC quarantine & automatic
repair
to APC agent installation page
Branch
Distribution Network
TrusGuard 100
TrusGuard 500
V3 V3 V3 V3 V3 V3 V3 V3
PC without APC agent

TrusGuard Feature – Defense against DDoS Attack
TrusGuard provides strong protection from DDoS attack, a major type of network attack.
TrusGuard is equipped with a special DDoS defense engine, that is delicately phased and currently in
overseas patent-pending.
1st Phase : Runs DDoS detection engine.
- When the certain threshold session is reached, it is judged as a DDoS attack.
2nd Phase : Runs anti-spoofing protection.
- Performs filtering of packets that are spoofed through virtual response to TCP connection attempts under attack situation.
3rd Phase : Runs dynamic protection.
- For packets decided as attacks after real-time analysis of packets under attack situation, the rate-limit is applied.
4th Phase : Runs segment protection .
- Performs self-learning of session statistics on connections per source IP segments during the normal time.
- Blocks the IP segment with abnormal session connection after deciding it as attack under attack situation.
5th Phase : Runs HTTP BotNet protection.
- Blocks large volume of HTTP BotNet attacks that occur after connecting to TCP session.

Overseas patent
No. 2007-114875
*Financial Supervisory Service (FSS): Korea‟s government agency which monitors and audits all financial institutions operating in Korea, and impose sanctions
against those which violate the financial regulations of the nation.
TrusGuard Feature – Defense against DDoS Attack
TrusGuard provides strong protection from a DDoS attack, a major type of network attack.
TrusGuard is equipped with protection functions against a DDoS attack of various sorts like the list below.
Preventable attack patterns are constantly updated by AhnLab ASEC & the DDoS Special Unit.
Direction Attack Category Attack Type Prevention Type
• TCP SYN Flooding
• TCP SYN Flooding Spoofing
마스터 제목 스타일 편집 •
•
TCP ACK Flooding
TCP ACK Flooding Spoofing
TCP Flooding Attack • TCP NULL Flooding
• TCP NULL Flooding Spoofing
• SYN-ACK Flooding
• RST Flooding
• IP Random Fragment Flag
Inbound • UDP Flooding
• Filtering by the special DDoS
DDoS UDP Flooding Attack • UDP Flooding Spoofing
• IP Random Fragment Flag engine
Attack

ICMP Flooding Attack
•
•
•
ICMP
ICMP
ICMP
Echo
Echo
Echo
Flooding
Flooding (Spoofing)
Reply Flooding
• ICMP Echo Reply Flooding (Spoofing)
• BotNet Attack
HTTP Attack
• CC (Cache-Control) Attack
• Confuse TCP/UDP/ICMP Flooding
Other Attacks
• Confuse TCP/UDP/ICMP Flooding Spoofing
• Download zombie program from malware
Outbound Internal zombie PCs
spreading websites
DDoS • IPS signature-based filtering
Attack External attack by internal • Attack on external target servers by internal
PCs zombie PCs
TrusGuard Features – Anti-Virus
TrusGuard uses V3 engine that is proven in worldwide for its superiority in virus filtering.
TrusGuard fully blocks the intrusion of malware to the internal network by utilizing 20 years of virus analysis
technology and DB of V3.
V3 is an internationally acclaimed anti-virus engine which won several international certificates like „VB 100‟
and „Check Mark.‟
TrusGuard has a powerful advantage in preventing malware that change in real-time because it uses a
proprietary internal AV engine.
ASEC AhnLab
CDN
V3 engine

update
(Regular/Freque
nt/Emergency)
INTERNET
Virus/Malware
TrusGuard Features – Anti-Spam
TrusGuard uses a powerful, world-class spam engine for spam filtering.
TrusGuard uses a Global Anti-Spam Engine that is used by more than 100 customers worldwide.
TrusGuard features superb spam filtering rate of 97% and a very small false-positive rate
of 1 in 1.5 million.
TrusGuard also provides preemptive filtering function against the “unknown virus” that is distributed via E-
mail.
Detection of spam from
130 nations • Powerful spam filtering
“97% spam filtering rate” • Preemptive filtering of
“False-positive rate of 1 unknown E-mail viruses
in 1.5 million”
Spam Detection
마스터 부제목 스타일 편집 Engine
Detects spam mail.

Detects E-mail virus
outbreak.
• Distribution Pattern Base
• Structure Pattern Base

TrusGuard Feature – Total Web Access Filtering
TrusGuard can prevent intrusion by malware to the internal network though blocking access to
not only non-work related websites but malware distribution sites/phishing sites as well. (to be
provided in May, 2010.)
TrusGuard is equipped with its own DB on malware distribution sites that have become major sources of
malware distribution. This DB is updated in real-time to provide up-to-date protection.
DMZ
Blocks synch. Non-work
related sites Blocks access to non-work
Server farm DB related websites.

TrusGuard
Internet Blocks access to malware
distribution URLs.
SiteGuard
Blocks access to phishing
Blocks synch. DB
sites.
* TrusGuard-SiteGuard synch service is planned to be

provided in May, 2010.
Special Advantages of AhnLab TrusGuard UTM - LogServer
12. Analyzing various security threat events and monitoring & reporting should be available.
TrusGuard UTM provides detection, prevention, and analysis of security events including firewall, IPS,
anti-virus, and anti-spam through a “Single Interface.”
[UTM Log Server Functions] [Log Server UI Sample]
마스터
Firewall 제목 스타일 편집
Log
IPS Log UTM VPN Log

Log Server

• Log collection/storage
• Security threat analysis and graphical display ▪ Real-time Monitoring
• 50 types of security reporting - Real-time display of attacks
- User-defined integration report configuration - Top 10 Information: By user, attack type, or service
type
- Real-time session monitoring
Anti-Virus Anti-Spam ▪ Various analysis tools
Log Log - Attack patterns & trend analysis
- Tracing details through Monitoring UIs (Drill-down)
- Event IP monitoring
▪ Administrator Alerting
- Threshold setting and event alerting (E-mail )
26
TrusGuard Features – AhnLab TrusGuard Manager
TrusGuard provides the management tool for efficient control of many appliances.
TrusGuard Manager is a management tool for controlling many TrusGuard appliances. Chief among its
major advantages are “user-oriented simple & dynamic UI” and “powerful monitoring function of
management appliances.”
○ Differentiated look & feel

○ Dynamic & simple UI
○ Integrated policy profiling technique
○ Easy setting of IPSec VPN
○ User-oriented low depth structure
○ Drag & drop group configuration
○ Graphical monitoring
Simple policy
Specialized
setting/manag
visualization
ement

Many value-
Powerful ○ Powerful monitoring environment
added - System status information of the entire
monitoring
functions management appliances
○ LogServer Single Sign-on - Network usage status of the entire
○ Supports DB2 (freeware management appliances
- Interface error status of the management
version). appliance
○ AST synch function - Health check of the management
appliance
* To be provided by end of 2009. - VPN connection status of the
management appliance
TrusGuard Features - Manager
TrusGuard provides the management tool for efficient control of many appliances.
Manager Overview
Real-time monitoring of the

entire management
appliances

Customer Benefits

Customer Benefits
1. You can build a reliable and flexible high-performance network security environment.
① Reliable and flexible high-performance

firewall.
- Can configure H4 without L4 equipment. (A-A, A-S)
- Can control HA separately for VLAN trunking port and
VLAN port.
마스터 제목②스타일 편집② Flexible VPN with enhanced security
Internet - Prevents intrusion by malware into internal networks by
strengthening the network perimeter security among
branches. (IPS/AV function is on.)
- Effectively prevents spreading of internally-infected
malware like worm/Bot to the entire internal network
through VPN.
 Filtering by synching with IPS/AV
마스터 부제목② 스타일 편집

 NAC by synching with V3
①
- The use of IPSec VPN and SSL VPN can be mixed to
meet the customer‟s environment.
③ Detection of zombie PCs & Prevention of

malware spread
- System and knowhow to detect & analyze malwares
. BotNet information management system / WebMon
③ system
. DDoS monitoring system (with 1 million sensors)
-Detects and prevents spread of zombie malware in
real-time.
- . NAC by synching with V3
Customer Benefits
2. The spread of malware to entire networks can be prevented by detecting and blocking
malware/Bots.
• “Enhancing security of branch VPN traffic” that is flowing into HQ via VPN
- Prevention of threats in branches : Prevents infection by worm/virus. ①
- Applying of security policy to VPN traffic that flows from branched to HQ & synching with IPS ②
. Prevention of branch-infected malware from spreading to HQs and attacking server systems.
• “Prevention
of malware spreading among distribution networks” in HQ ③
- By implementing TrusGuard in the front area of segment network, internal spread and
external attack of worm/zombie can be prevented.
Headquarter
Core Network DMZ
Server Farm

TrusGuard 1000 AST
Internet
Distribution Network Branch
③ TrusGuard 100 ①
TrusGuard 500 TrusGuard 400 TrusGuard 100
Customer Benefits
3. You can build a network environment that is free from external security threats.
• Security Threats are getting

“Complicated, Varied & Intelligent”
Branch Remote
Worm HQ
DDoS
Unauthorized Spyware
User Bot Virus
Phishing
Data
Sniffing Trojan Web vulnerability
INTERNET
OS/IE

vulnerability
••• TrusGuard
• General firewall/VPN provides

“access control/anti-data sniffing”
functions only.
• AhnLab TrusGuard provides clean network environment through…
“firewall function based on stateful inspection”
“IPS & AV function for protection against external attacks”
“IPSec/SSL VPN function for safe communication with branches or
remote offices.
Customer Benefits
1. Establishment of the network environment free from external security threats is possible.
(Continued)
• Three-phased blocking method
protects the network from “unknown
network attacks.”
Phase 1: Update the predictive prevention of
blocking rules before the advent of the worms
- Distribution of predictive prevention rules for potential
worms and attacks through OS vulnerability analysis.
- Proactive measures against worm variable patterns
Phase 2: Initial spread blocking rule

- Application of the email filtering rule in the initial spread
of the worms
Phase 3: Signature update through sample
analysis

- Sample collection and application of the signature made [three-phased Blocking]
by ASEC
• 24*7 updates of blocking rule and Signature

signature through ASEC to prevent threats Update
of “latest attacks.” AhnLab
KT
AST Server DACOM

AhnLab
CDN
ASEC‟s rich experiences in dealing with malicious code Service
for the past 18 years ensures real-time monitoring and
analysis of worms and viruses worldwide, and provides Hanaro 1/2 ASEC
accurate and prompt signature updates. Center
INTERNET
* ASEC (AhnLab Security E-response Center)
29
Customer Benefits
2. Reduction of Total Cost of Operation (TCO)
Point Solution Firewall/VPN IPS/IDS Anti-Spam Viruswall Web Filtering

Multi vender
solutions of different
service levels
Issue of
Point Solution High costs for Securing
Trouble Shooting Necessary
Adopting the
Risks Solution Issue Operation
Workforce
마스터 부제목 스타일 편집 Simple

Maintenance
“With the cost of a firewall, • Used not only for
IPS and virus/spam • Easy Trouble security but also for
TrusGuard solutions can be built” Shooting other operations.
Benefit • Service continuity
can be guaranteed •Greater productivity.
with the provision of
bypass functions. Efficient manpower
All in One Box allocation
30
Customer Benefits
3. Removal of garbage traffic increases productivity and network efficiency.
[Firewall Only]
Malicious Spam P2P
• Traffic filtering unavailable Code Web
Work surfing
• Wide-spread garbage traffic
Traffic
Harmful site
Messenger - Securities
• Compromised network /Gambling
resource efficiency
[After adopting TrusGuard UTM]

• Control by traffic type Web Web Web
- Spam blocking surfing surfing surfing
- P2P Messenger control

- Harmful site access control Work Work Work
Traffic Traffic Traffic
- Malicious code prevention
• Network cost reduction through traffic optimization

• Greater concentration and productivity
Implementation Case

Implementation Case: 00 City Hall (Firewall only)
○ Weakness in old configuration
Internet - Redundant configuration of single-core based low-end firewalls

couldn‟t handle the increase in traffic.
마스터 제목 스타일○편집
Improved security configuration
• OSPF setting router - Single-core firewalls were removed and TrusGuard 1000 were
• A-A HA setting double-stacked.
TrusGuar
- Active - Active High Availability setting
d - Automatic backup by configuring OSPF setting in redundant router-
security appliance area
○ Benefits

router
1) Multi-core, high-performance TrusGuard allowed throughput.
- Flexible handling of volume increase of multimedia & Internet
contents.
2) Double-stack configuration of TrusGuard enabled high network

availability.
- Configuration of session synchronization and policy synchronization
3) Powerful access control based on stateful inspection method

Implementation Case: 00 Education Office (Firewall + SSL)

- Performance issue from using single-core based, low-end firewall
- Use of IPSec VPN Client for remote/telecommuting workers
 Usability reduced due to many problems by disaster, maintenance,
Internet installation problems, etc.
○ Improved security configuration

마스터 제목 스타일 편집 - The single-core firewall was removed and TrusGuard 1000 were
double-stacked.
- Active - Standby High Availability setting
- SSL VPN of TrusGuard were provided for remote/telecommuting
TrusGuard (Firewall) TrusGuard
workers.
(SSL)
○ Benefits
1) Multi-core, high-performance TrusGuard allowed throughput.
마스터 부제목 스타일 편집 - Flexible handling of volume increase of multimedia & Internet
contents.
2) Double-stack configuration of TrusGuard enabled high network

availability.
DMZ server - Configuration of session synchronization and policy
network synchronization
3) Security and availability in remote access by SSL VPN of TrusGuard
4) Enhanced security by connecting to SSL VPN

- Provides PC firewall and anti-keylogging to connected PCs by
installing AhnLab AOS.
- Deletes remaining cookies in PCs after connection is terminated.
Internal server
network
Implementation Case: 00 Newspaper (Firewall + IPS)
Internet - Many vulnerabilities due to simple firewall configuration in gateway

- Performance issue in web firewall due to a large volume of
unfiltered incoming traffic in web firewall
L4 switch ○ Improved security configuration
TrusGuard - Removed simple firewall and TrusGuard 1000 were double-

(Firewall+IPS) stacked.
- Simultaneous running of firewall + IPS
- Active- Active setting through L4 switch
Web
firewall
○ Benefits
마스터 부제목 스타일 편집 1) By simultaneously running firewall and IPS,
- large volume of harmful traffic targeting web servers and

L4 switch
DB server can be filtered.
ex) web vulnerability attack (SQL Injection/ XSS attack)
- large volume of harmful traffic in web servers are first

filtered,
which results in reducing the performance overloading in
web firewall in the back.
Image server Web server DB server

Implementation Case: 000 Political Party (DDoS)
Zombies - Service error due to DDoS attack occurred.

- Firewall was down due to instant overloading of sessions.
- Vulnerable to various hackings, network attacks and malware that
bypass firewall policy.
C&C server
마스터
Control 제목
DDoS
Control 스타일○편집
Attacke
r
(Web/Application vulnerability attack, Worm, Bot, Trojan, etc.)
Improved security configuration
Internet
- TrusGuard was deployed as an exclusive DDoS protection
appliance in front of firewall in Internet gateway.
○ Benefits
1) Effective prevention of DDoS attacks

- Normal working of firewall due to prevention of DDoS attacks
- Prevention of DDoS attacks like tcp-syn, icmp, tcp-ack flooding,
etc.
- Internal service availability was guaranteed due to normal
Web server working of firewall.
2) Blocking of many malware or attacks that cannot be prevented

by the firewall
- Worms, Bot, Trojan, Downloader, etc.
- Application vulnerability attack, DoS/ DDoS attack, etc.
Web server 3) Effective protection against attacks that exploit web

vulnerabilities
- Web application vulnerability attack (SQL Injection, XSS, etc.)
OS/IE vulnerability attack, etc.
Implementation Case: 00 Dotcom (VPN Network)

- Because of simple VPN setting between HQ and branches that
provides encrypted communication method only, the malware infection
in data or unauthorized access could not be detected.
- Errors were frequent in IPSec VPN client in PCs of telecommuting
workers.
ATM
Server farm
마스터 제목 스타일 -편집
TrusGuard provided safe VPN channel between HQ and branches.
 Runs firewall + IPSec VPN + IPS function simultaneously.
TrusGuard Center
- TrusGuard allowed safe VPN channel between HQ and
DataCenter.
Headquarter
- SSL VPN channel for telecommuting/mobile workers
SSL VPN Tunnel
IPSec VPN Tunnel
○ Benefits
1) Security in branches was heightened to the level of HQ.

Internet - Firewall, VPN, IPS, Anti-Virus, Contents Filtering, etc.
Telecommuting/Mobile
workers
2) Blocks malware that coming through traffic in VPN tunnel.
- Firewall policy application for VPN traffic &
detection/prevention of malware by IPS
Branch IDC
3) Redundant configuration of security appliances in HQ through
High Availability (Active-Active, Active-Standby) setting
TrusGuard TrusGuard
- Can set up redundant configuration without session synch
technique & L4 switch.
4) Secure VPN channel between HQ and branches
5) Flexible SSL VPN setting for telecommuting/mobile workers

Implementation Case: 00 Gas Station (VPN Network) (1)
Branch
Center TrusGuard 50
VPN Local network
D ATM(Integrated
B management)
Branch
마스터 제목 스타일 편집 TrusGuard 50
Integrated policy
setting <Internet>
Active C2950 Branch

TrusGuard 50
TrusGuard 1000
마스터 부제목 스타일 편집 Internet

Trunk ㆍ
Link Aggregation ㆍ
ㆍ
ㆍ
Branch
TrusGuard 1000 TrusGuard 50
Standby
Implementation Case: 00 Gas Station (VPN Network) (2)
- Used an exclusive 256K data line for connection between HQ and gas stations under direct control.
 Too expensive when using the exclusive data line.
- No additional system that can respond to security threats were present except the firewall in HQ.
 Very vulnerable to worms and malware that are infected from the gas station, then, spread to the entire network
- Using IPSec VPN of TrusGuard, the connection between HQ and stations was configured in gateway-gateway setting.
- On a deployed TrusGuard, the entire functions of firewall, VPN, IPS, AV, anti-spam and website filtering were implemented.
○ Benefits
- The expensive fee for using the exclusive data line was reduced to the level of high-speed Internet broadband lines.  Cost-
saving while maintaining security level.
- By running various security functions of TrusGuard, (IPS, Anti-virus, Anti-spam, Blocking harmful website, etc.)
 The availability of the station network was ensured by blocking incoming threats at the network level.
 By preventing the malware like worm and Bot infected in the station from spreading to internal network through
VPN tunnel,
1) The availability of VPN network between HQ and branches were ensured.
2) The major server systems in HQ can be protected from various security threats.
 The synch with the DDoS monitoring system effectively prevents zombie malware from intruding and spreading
to internal network.
Implementation Case: 00 University (End-point Synch Security)

- Only a simple firewall was deployed in the Internet gateway, the network was vulnerable to attacks and malware from outside.
- It was impossible to prevent malwares/network attacks by internal PCs or by external authorized/unauthorized PCs that connect
to the internal network from spreading to the entire internal network.

- By implementing firewall and IPS in the point of connection with Internet, unauthorized accesses or attacks from outside were
blocked.
- In school departments (distribution network), “TrusGuard” was deployed to partition the relevant security domain.
○ Benefits
1) Security domains per school departments were
Backbone Network established.
DMZ - Different security policies per school departments (FW, IPS,
ATM AV, etc.)
Server farm
Internet

2) Prevention of malware in school departments from spreading to
the entire backbone network
- Minimizes the security threat (limited to department network)
School department network
3) Can provide NAC environment when synching with V3 in
TrusGuard
Dept. A
PC/server.
Dept. B Dept. C
- Synched security of TrusGuard-V3
- Quarantine of infected PCs from network and automatic repair
* NAC (Network Access Control)

Implementation Case: 00 City Hall (IPv6 Pilot Network)
TrusGuard is “Korea‟s only network security solution” that is implemented in the IPv6 pilot
network.
6to4 IPv6 RA
tunneling Firewall (Router Advertisement)
IPv6 client
network
IPv6 connected IPv4 commercial
network network
6to4 relay router AhhLab TrusGuard
6KANet
IPv6 connected Internet
network IPv6
PCs

IPv6 network
6to4 Tunneling
in 00 city hall
IPv6 AhnLab TrusGuard

Server
IPv6 client
IPv6 network
PCs
IPv6 network
In 000 district office
Detailed Functions

Specifications of Major Functions(1/6)
 Stateful Packet Inspection Type

 Black & White list-Based Filtering
 Guaranteed performance independent of policy and sessions
 Various NAT functions : Static/ Dynamic NAT, Excluded NAT, NAT Traversal, Load-Sharing NAT, Twice NAT
 IP/Port/ Firewall Policy-based QoS (Quality of Service)
 Object-based intuitive set-up and easy-to-use management functions
 Schedule-based policy setting(One-time, daily, weekly, monthly, yearly, a certain period)
Firewall
 Guaranteed availability: Active-Active, Active-Standby HA (without L4 switch)
Full-Mesh network configuration (without L2 switch), By-pass support
 Password-based authentication, Internal OTP (One-Time Password) authentication, RADIUS linkage

authentication
 VoIP (SIP, H.323) Protocol Supported
 Exporting Firewall policy function
 Secure OS (ANOS)



Route & Transparent Mode supported
Static & Dynamic Routing supported (RIPv1, RIPv2, OSPF)
 Source Routing supported
 Multicast Routing Protocol (PIM-SM)
802.1Q Vlan, 802.3ad Port Aggregation
Network

 DHCP Server/ DHCP Relay (in Bridge mode), DNS/ Split DNS
 By-pass function supported
 SNMP v1/ v2 supported
 NTP supported
 SIMS linkage supported
40
Specifications of Major Functions(2/6)
 IPv4/IPv6 Dual Stack supported

- IPv4 & IPv6 simultaneous Processing
IPv6 Networking/ Routing/ Packet Filtering supported
IPv6 지원

- IPv6 Static/ Dynamic Routing (RIPv6, OSPFv6)

(2010. 5 - IPv6 Tunneling (6to4, ISATAP) & Translation (NAT-TP)
통합지원예정) - IPv6 Stateful Inspection-based Packet Filtering
- Static NAT, Dynamic NAT, Excluded NAT
마스터- IPv6제목 스타일 편집

Log Collection and analysis
 Manual Key, IKE, IKEv2

 Gateway-to-Gateway / Client-to-Gateway VPN
 Bridge mode over IPSec
 3DES, AES(128, 192, 256), SEED, ARIA Encryption Algorithm
 SHA 1, SHA 2(256, 384, 512), HAS 160-certified Algorithm
 Hub & Spoke/ Star/ Mesh Architecture

 NAT Traversal supported
 Dead Peer Detection supported
PFS (Perfect Forward Secrecy) supported
IPSec VPN

 Prevent Replay Attack

 Split Tunnel
 PKI Standard synch (X.509 standard synch)
 other IPSec Traffic Bypass
 Firewall/ IPS interface
 Multi-line Load-balancing supported (More 2 Lines)
 Supports encryption accelerator
 VPN Traffic QoS supported
 Supports powerful monitoring of the entire VPN networks / appliances
Specifications of Major Functions (3/6)
 Gateway to Client VPN, User Level Access Control
 IPSec VPN client level service
 Stronger end-point security
- Keyboard stroke detection and firewall function upon initial access
 Automatic installation of AOS(AhnLab Online Security) Firewall & AOS Anti-keyboard, and automatic deletion
SSL VPN - Deletion of HTTP cache and cookie data after usage
 SSL VPN Dead Peer Detection
 SSL VPN Client System Requirements: Window 2000/ Window XP/ Window Vista, higher than IE 6.0
 SSL VPN Active-Stand by HA supported
 Supports SSL accelerator(Optional)
 Synchronization of internal DNS, WINS
 Packet-based network attack detection & prevention

 Signature-based Intrusion prevention : Approximately 5,000~6,000 Signatures
- Signature regular updates(1~2 times per a day)
 Behavior-based intrusion prevention

- Anti-Scanning, Anomaly detection, DoS/ DDoS prevention
 User Defined Rules/ Signatures
- Configures exceptions to IP/port-based, or starting point/destination-based rules
Intrusion Three-phased blocking method protects the 'Zero-Day' attacks
Prevention

- Zero-Day Attacks Prevention (predict and vulnerability attacks)

- Outbreak Prevention (Prevent a spread of initial attack)
- Known Attacks Prevention
 A capacity which provider makes owns Signature has its attack response
- A capacity to operate an organization which handle with viruses for 24 hours Provide a report of analysis.
 Automatic and regular updates using AST(AhnLab Security Tower) and CDN(Contents Delivery Network)
 MAPP(Microsoft Active Protections Program) partnership with Microsoft
 Threat responses (Includes 5000~6000 IPS Signatures)

- Worms, Spyware, Trojan, Downloader, Dropper, Mass-mailer, Phishing, Bot/ BotNet Prevention
- Backdoor Prevention - TCP Reassembly, IP Defragmentation Prevention
- NetBios attack - RPC attack
- Application/ Web attack Prevention (10 weakness of OWASP)
. SQL/PHP Injection, Cross Site Script (XSS), Cross Site Request Forgery (CSRF) etc.
Intrusion . Attack through an weakness of IIS/ CGI/ MISC/ PHP
Prevention 마스터. Attacking
제목through 스타일 편집
an weakness of OS/ an weakness of Internet Explorer, etc.
. . ARP Spoofing, Botnet control, etc, Shell Code, Script, Web Monitoring
- DoS, DDoS, Scan Prevention - Exploit Attack Prevention
- E-mail Attack Prevention - DNS Attack Prevention - Anomaly Prevention
- Prediction and blocking of unknown attacks
- Block a P2P / Instant Messenger
- Signature update history management, Help provide signature
Contains dedicated engine to defend against DDoS attacks


 TCP Flooding Prevention

- TCP SYN Flooding (Spoofing), TCP ACK Flooding (Spoofing), TCN NULL Flooding (Spoofing)
- Defends against SYN-ACK Flooding , IP Random Fragment Flag, RST Flooding attacks
 UDP Flooding Prevention
- Defends against UDP Flooding (Spoofing), IP Random Fragment Flag attacks
DDoS  ICMP Flooding Prevention
Protection - ICMP Echo Flooding (Spoofing), ICMP Echo Reply Flooding (Spoofing)
 HTTP BotNet Attack Prevention
- Defends against HTTP BotNet Attack
- Defends against CC (Cache-Control) Attack
 Prevents other attacks
- Defends against Confuse TCP/UDP/ICMP Flooding attacks
41
 File-based virus, malicious code detection & prevention

 Threats: Virus, Trojan, worm, spyware, adware, phishing, spam, and malicious sites
 e-mail Virus in advance (Outbreak Prevention)
 Supporting protocols: HTTP, SMTP, POP3, FTP, Oracle, and General TCP
Anti-Virus  Scan a zipped file (Enable to scan it maximum 5 times), File extension
 24-hour monitoring & analyzing various threats in ASEC
 24/7 real-time update through CDN (Contents Delivery Network)
마스터 제목
Performance
 스타일
optimization 편집
through load sharing
 Quarantine through detection of infected systems
 Spam Mail Blocking: Scan SMTP, POP3

 RBL (Real-time Black List) & RPD (Recurrent Pattern Detection) engine-based spam detection
 User-defined keyword-based spam blocking
- Keyword(title, content), Regular/ Wildcard
Support an allowed Mail List (IP Address from sender/ E-mail address)
Anti-Spam/

Spam Mail in Quarantine: Certain Mail account forwarding and Saving

Web Filtering

 Website Filtering
- Interface with the database of the Korea Communications Standards Commission and blocking of user-
defined URLs
- User-defined websites filtering supported (wildcard supported)
- Configures exceptions to starting point/destination-based websites filtering
 supported proxies : HTTP, POP3, SMTP, FTP, Oracle, DNS, UDP, General TCP
 Active-X, JAVA Script, Applet, VB Script, Textrea tag, other tag blocked
Proxy  Block a command (FTP, SMTP)
 Block a Mail Relay (SMTP)
 Block showing internal IP information to outside
42
 Traffic bandwidth guaranteed for the entire traffic, by IP and by port

Traffic  Supporting manual set-up and automatic set-up based on filtering results
Management  QoS for each policy for traffic control
(QoS)  Policy/Schedule-based QoS support

 Traffic shaping and policing support
 Network access control by linking with APC, the V3 anti-virus solution management program
- PCs that do not have APC installed have their internet access controlled and be redirected to an
NAC 마스터 제목 스타일 편집
installation page
- PCs infected with malicious code are quarantined from the network and forcibly repaired by APC
Real time Monitoring of Log Data(System/Network/Firewall/IPS/Anti-Virus/Anti-Spam)

Monitoring

 A statics of various analysis information
 External Log Server (Separate S/W installation)

Real Monitoring of System/Firewall/IPS/Anti-Virus/Anti-Spam
Log Server

 Security Log Store/Collect/Analysis & Display

- More than 50 various analysis report
 External Integrated Manager (Separate S/W installation)

Integrated - Manages multiple appliance
Manager - Policy setting in a multiple appliances
- Real-time Monitoring of management appliance.
43
Specifications

H/W Specification
TrusGuard TrusGuard
Category TrusGuard 50 TrusGuard 70 TrusGuard 100P TrusGuard 400 TrusGuard 500
1000 10000
Line-up
Operation Route Mode / Route Mode / Route Mode / Route Mode / Route Mode / Route Mode / Route Mode /
Mode Transparent Mode Transparent Mode Transparent Mode Transparent Mode Transparent Mode Transparent Mode Transparent Mode
CPU Single Dual Dual Dual Quad Quad Exclusive Multi Core
10/100 Switch 4 4 - - - - -
Giga Port
(Copper)
4
마스터 제목 스타일 편집 4 6 4 4 4 8
Giga Port
- - - 2 4 8 8
(Fiber)
2
10G Port - - - - - - (4 ports for expansion,
Copper 1G * 8, except)
Support Bypass Support Bypass Support Bypass Support Bypass Support Bypass Support Bypass Support Bypass
Bypass
(Copper (Copper (Copper) (Copper/ SFP) (Copper/ SFP) (Copper/ SFP) (10G/ SFP)
Firewall
150Mbps 300Mbps 600Mbps 1.2Gbps 2Gbps 4Gbps 20G
Throughput

Firewall+IPS 80Mbps 240Mbps 400Mbps 800Mbps 1.2Gbps 2Gbps -
Max Session 300,000 500,000 1,000,000 1,300,000 1,500,000 2,000,000 5,000,000
Sessions /
6,000 6,000 10,000 15,000 20,000 27,000 100,000
second
VPN Tunnels 500 1,000 5,000 8,000 12,000 20,000 -
Size
428x44x300 428x44x300 431x44.4x361 mm 424x88x530 426x88.8x584 426x88.8x584 431.8x88x580
(W×D×H mm)
Operating Operating Operating Operating
Operating Operating Operating
temperature : temperature : temperature : temperature :
temperature : temperature : temperature :
0~40oC 0~40 0~40 5~35
Environment 0~40 deg C 0~40 deg C 0~60
Storage temperature Storage Storage Storage
Storage temperature : Storage temperature : Storage temperature :
: temperature : temperature : temperature :
-20~75 deg C -20~75 deg C -20~70
-20~80oC -20~70 -20~70 0~70
Redundant Redundant Redundant Redundant
Power 150W Single Power 150W Single Power 1U ATX SPS / 180W
460W/each 600W/each 600W/each 500W
Summary

TrusGuard: High-Performance/High-Quality Network Security
TrusGuard fully protects your assets through a high-performance firewall/VPN & provides high-
quality security response capability.
IPS/ AV/ AS/ Web

DDoS
Integrated Log
CC IPv6
manager Server
IPSec & SSL VPN
Firewall
마스터 부제목 스타일 편집TrusGuard 100 TrusGuard 1000
TrusGuard 70 TrusGuard 500

Features TrusGuard 400
TrusGuard 50
TrusGuard 10000
Small & Middle Sized Enterprise Data Center

Branch
Price/Performance
Appendix. Main UI View

Prevention of Major Attacks: Sample
1. Defense against DDoS attack
Blocked DDoS attacks
마스터 제목 스타일 편집 - ICMP Flooding/Trinoo, etc.

2. Defense against SQL injection attack
Blocked SQL injection attacks
마스터 제목 스타일 편집 - WEB-MISC Demarc, etc.

3. Defense against worm attack (1)
Blocked worm attacks
마스터 제목 스타일 편집 - Exploit, Active X attack, etc.

3. Defense against worm attack (2)
Blocked worm attacks
마스터 제목 스타일 편집 - BAD-TRAFFIC data, etc.

4. Defense against spyware attack
Blocked spyware attacks
마스터 제목 스타일 편집 - Win32-Trojan

- Win-Spyware, etc.

Main UI View
1. Detailed monitoring screen (1)

“Graphical display” of network statistics
Monitor type 마스터 제목 스타일 편집

Network
usage

Usage by
protocol
Usage by
service
Main UI View

“Graphical display” of threat detection/block statistics by IPS

Statistics by
perceived risk
level of attack

IPS
detection/block
log
Top 10 attacks
Main UI View

“Graphical display” of detection/block statistics of virus attack

Virus
statistics by
protocol
Virus

detection/block
log
Top 10 viruses
Main UI View

“Graphical display” of detection/block statistics of spam mail

Spam mail
block
statistics by
filter
Spam mail

detection/block
log
Top 10
Spam mail
Main UI View

“Graphical display” of detection/block statistics of harmful websites

Website
filtering
statistics by
filter
Harmful website

detection/block
log
Top 10
Filtered
websites
Appendix.

Appendix. ASEC – Overview
ASEC (AhnLab Security E-response Center) is a global security response unit by AhnLab
consisting of the best malware analysts and security experts.
24*365 service Integrated signature for

network & end-point
• ASEC monitors, analyzes and responds • ASEC provides integrated signature for
to new threats from around the world 24 various threats occurring in networks, PCs,
hours a day. servers, mobile devices, etc.
Regular analysis
Monitoring/analysis
information systems for various threats
• ASEC provides detailed information on • ASEC Intelligence NetworkTM
malware and vulnerabilities. Through ASEC • BotNetTM : BotNet information management system
reports, trend on security threats is • WebMonTM : Website monitoring system
provided. • BlueBoxTM : Malware packet gathering system
• Competence analysis system for vulnerability
signature (planned.)
Appendix. ASEC – ASEC Response Process
ASEC (AhnLab Security E-response Center) has been providing powerful security service
through „malware & vulnerability analysis and response process‟ for more than 15 years.
마스터 제목 스타일 편집Emergency Detailed

Malware Sample Sample
outbreak collection analysis response sample
decision analysis

End of Engine QA Distributes
emergency upload test Writes engine analysis info.
response
Appendix. ASEC – Security Threat Analysis Methodology
ASEC‟s security threat analysis methods are as listed below.
Dynamic Analysis  Static Analysis
Symptom Information Code Writes

File analysis 마스터 제목 스타일 편집
analysis analysis analysis engine
1. System analysis 1. Additional 1. Dis-assembling 1. Malicious code

1. File form 2. Process analysis of decision
analysis analysis symptoms 2. Debugging
3. Registry 2. Produces
2. In-use API analysis 2. Gathering of diagnosis

analysis 4. Network various signature &
analysis information function.
3. String analysis 5. Other analyses
3. Check relevant 3. Writes analysis
matters. info.
• Vulnerability exploitation • Use of polymorphic technique

• Use of executable compression • Leakage of private information
technique • Spyware + Trojan horse
• Use of rootkit • Various infection methods
• Sophistication of concealment
technique (file, process)
Appendix. ASEC – Synch with CERT
Through organic synch of „ASEC-CERT‟, AhnLab provides effective responses to active

malicious codes and attacks.
By applying the threat monitoring & analysis information by ASEC-CERT in real time, AhnLab provides
effective protection against zero-day attack.
CDN/AST Signature Clients
마스터 KT제목ASTAhnLab
스타일 편집
Update
Server
AhnLab
DACOM CDN
SK
INTERNET
마스터 부제목 스타일 편집 ASEC CERT
AhnLab Security E-response Center Computer Emergency Response Team

 Threat monitoring & response
 Real-time attack/threat information gathering
 Real-time response to threat/attack report from
through managed security clients
CERT
 Delivery of real-time attack/threat information
 Security response prior to security patch though
to ASEC
MAPP partnership with Microsoft
Appendix. ACCESS system diagram(AhnLab Cloud Computing E-Security System)
ACCESS, a comprehensive threat analysis system by AhnLab based on clouding computing
technology, provides prompt and effective response to fast-changing security threats.
Comprehensive threat
Data center/service provider analysis system
New
Security partners
Managed N/W threat info. Dangerous URLs
Malicious codes
Smart
Defense
(Government/Overseas)
security
center SiteGuard
CERT ASEC
Heuristic
Monitoring / Response
Game/
Banking
Large enterprises 마스터 부제목 스타일

TrusGuard V3 Engine
Signature
Security management infrastructure
편집
Smart Defense SiteGuard
Database Database AOS
HackShield
TrusGuard
APC 4.0
SiteGuard
Security SMBs Individual users
Center
V3 365
V3 IS 8.0 V3 MSS SiteGuard
SiteGuard SiteGuard
Mobile Security
Beyond Security, More than Security
마스터 제목 스타일 편집 AhnLab TrusGuard
Thank you.

AhnLab TrusGuard Standard Proposal Eng

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

AhnLab TrusGuard Standard Proposal Eng

Загружено:

Авторское право:

Доступные форматы

AhnLab

마스터 부제목 스타일 편집

Recent Trend in Security Threats

마스터 부제목 스타일 편집

마스터 부제목 스타일 편집

The latest trend in anti-virus protection can be described as “Diversification, Complexity,

• Malware (Virus, Worm, Trojan, Bot) is still a big threat.

마스터 부제목 스타일 편집

Pure curiosity Attack Profit gain

[Infection by Malware Types, 2009] [Infection by New Malware Types, 2009]

The major threat in recent network-based attack trend is DDoS.

[Incoming threat types to network in Korea, as of Nov., 2009]

- UDP Flooding, a variety of DDoS attack, was the major threat.

Source : KISA monthly bulletin of Internet incident trend & analysis

[Monthly trend of infection by malicious Bots, in Korea

마스터 부제목 스타일 편집

○ The infection rate by Bot in Korea has decreased greatly from

Source : KISA monthly bulletin of Internet incident trend & analysis

1st stage DDoS 2nd stage DDoS 3rd stage DDoS

Network resource TCP/Application Complex / Intelligent

• Flooding attacks • TCP 3-hands-shaking attacks • Flooding attacks + Weakness

마스터 부제목 스타일 편집

Network draining attacks

DDoS attacks are targeting every type of business regardless of size.

마스터 제목 스타일 편집○○ 2009.7 : 7.7 DDoS Crisis

마스터 부제목 스타일 편집

DDoS attacks from viruses [Attack Method]

[Major threat types exploiting web

Source : KISA monthly bulletin of Internet incident trend &

마스터 부제목 스타일 편집 Client‟s system P2P programs

Download from Internet 85.0%

By visiting certain websites 54.5%

마스터 부제목 스타일50.8%

Storage devices (CD, USB, etc.) 34.1%

By external hacking 17.5%

마스터 부제목 스타일 편집

Single-core Network Multi-core

마스터 부제목 스타일 편집

마스터 부제목 스타일 편집

~ Mid. 2000s Mid. 2000s ~ 2010 ~

마스터 부제목 스타일 편집

AhnLab TrusGuard is an “Integrated Network Security System” that combines “Firewall/VPN-

Firewall/ Networking VPN DDoS defense

마스터 부제목 스타일 편집

마스터 부제목 스타일 편집

AhnLab TrusGuard distinguishes itself by creating synergies that combine an organic

High Performance & Flexibility

• Intuitive & graphical information display

마스터 부제목 스타일 편집

* ACCESS (AhnLab Cloud Computing E-Security System)

TrusGuard is based on elaborate and reliable high-quality firewall technology.

Stateful • Provides independent performance regardless of number of rules.

마스터 제목 스타일 편집 Inspection • Based on black list/ white list.

• Fail-over function (Active-Active, Active-Standby)

마스터 부제목 스타일 편집

VoIP support • Supports SIP, H.323 communication.

• Supports 802.1Q VLAN.

Core 1 Firewall ○ Multi-core platform in all models (TrusGuard 50

VPN ○ Optimal distribution technology of packets to

※ Throughput Test Result

마스터 부제목 스타일 편집

DPD • Real-time automatic transfer by detecting host status

Firewall/ • Firewall/IPS policy can be synched for VPN packets.