Академический Документы
Профессиональный Документы
Культура Документы
마스터TrusGuard
제목 스타일 Standard
편집 Proposal
“The Best of Network Security solutions, AhnLab TrusGuard”
The Bot
Injection,XS • Complexity of SPAM + Trojan + Phishing + Pharming
S • Spread of DDoS & attack on web applications
마스터 제목 스타일 편집 • Limitation in patch management
• Change of target from unspecified general public to a
specified target
• Emergence of profit-motivated cyber crimes
The Virus
Attacker
The Hack
Following 2008, Trojan horses that steal internal and account information are still prevailing and
the infection by worms, usually spreading malicious attacks on internal networks and the
emergence of new worms are increasingly reported.
• Trojan horses for stealing internal & account information still take up a large part in threats to enterprises
(39%)
• Reports on infection by “spreading worms”, which severely hinder the availability of internal network and
마스터 제목 스타일 편집
systems and their new variants is increasing
- Infection by worms through USB mobile storage devices is still happening
- Together with the popularization of the wireless LAN, infection by worms through unauthorized PCs connecting to the internal
network is increasing
Dropper
5%
Others
15% 마스터 부제목 스타일 편집
Trojans
트로이잔
Trojan
바이러스
Virus
Downloader
7%
트로이잔
Trojan
39% 애드웨어
Adware
애드웨어
Adware
Script 다운로더
Downloader
7% 웜Worm
웜
Worm
Worm Script
10% Adware Script
Dropper 27% Trojans
Adware Virus 기타
Others
55%
12% 12% 기타
Others
Source: AhnLab ASEC Report (Dec., 2009) Source : AhnLab ASEC Report (Dec., 2009)
Trend during a DDoS Attack (1)
UDP Flooding ○ The analysis of incoming threat types to ISP network revealed…
마스터 제목 스타일 편집
TCP SYN
- The most common DDoS attack, TCP SYN Flooding, is occurring
consistently.
Flooding
worldwide PCs infected by Bot ○ When the number of Bot-infected PCs increases, the threat by a
DDoS attack also increases.
DDoS attacks have shifted from attacks that drain bandwidth to attacks that drain system
resources and target application weaknesses.
마스터 제목 스타일
Early to mid 2000s 편집
2006 ~ 2007 2008 ~
7
DDoS Attack Trends (3)
[Recent Attacks]
Various companies in the financial industry, public sector,
small online service companies, etc, are exposed to the
threat of DDoS attacks.
demanded
○ 2007. 6~8 : Money demanded from travel and pension
reservation sites, etc.
○ 2007.5 : Estonian government and parliament sites paralyzed
8
Threats that exploit vulnerabilities in web applications
The most prevalent threat types in web application attacks are XSS (Cross-site Scripting) and
SQL injection. They exploit vulnerabilities to leak private information, steal account privileges
and alter/destroy data.
자원관리오류
Asset management error
디렉토리 search
Directory 검색
마스터 부제목 스타일 편집 9.8% ○ SQL injection attack type is changing…
- from stealing data inside the DB
정보유출 leakage
- to infecting/spreading the malicious code on
Information
connected users by deploying the malicious
기타
Others Buffer error code inside the DB.
As various IT devices and applications emerge rapidly due to advancement of Internet business,
the client‟s system is becoming overexposed to numerous attack routes.
Vulnerabilities in OS and
Internet surfing commercial programs
마스터 제목 스타일 편집
Mobile storage
devices
Instant messaging
programs
Wireless
File download
Diversified Attack Routes (2)
Indeed, downloading of spreading worms and zombie malware during web surfing is rapidly
increasing.
Among the attack routes of viruses and worms in Korean companies with 5 or more employees, “infection
through downloading from Internet” ranked highest with a rate of 85.0%.
By industry, manufacturing (89.1%), wholesale (87.7%) and construction (87.6%) showed relatively higher rate of
마스터 제목 스타일 편집
“infection through downloading from Internet” and even in banking and insurance, the rate was 80.8%.
Others 2.4%
Source : Survey on information security in enterprises, 2008
Network Security Trend
마스터 제목 스타일 편집
Technology in network security appliance is progressing toward the multi-core based, high-
performance platform.
With rapid advance in H/W technology and a tendency toward Green IT, “integration of practical
security functions” is the new direction in network security appliance.
Practical
integration
마스터 제목 스타일 편집
Combined
functions
• Green IT in Security
- Integration of Firewall & IPS
• Integrated Security
Single- - Combination of functions • Overcoming performance
purpose limitations
• Firewall+VPN+IPS+AV+AS
Integrated management
- Log analysis & real-time display
Internet - Correlation analysis of threat data
-50 types of security analysis reports
I(D)PS
- Signature-based detection & prevention Anti-Virus Anti-Spam/ Web Filtering
Contents of attacks - Black list-based spam
- Behavior-based detection & prevention of -Prevention of intrusion by virus,
security filtering
attacks worm, spyware, phishing, etc.
functions - More than 6 thousand rules for detecting -Supports HTTP/SMTP/POP3/FTP
- Spam engine-based filtering
- Keyword-based filtering
attacks -Equipped with V3 engine.
- Spam quarantine & storing
- 3-phase mechanism for preventing -365*24 ASEC service/ CDN
- Access filtering of harmful
attacks sites
- NAC function (synched with end-point V3)
Special Advantages of
마스터 TrusGuard
AhnLab 제목 스타일 편집
TrusGuard is based on high-performance hardware platform and the S/W architecture design
optimized for the specific platform.
To achieve high-performance when running multiple functions, every model of TrusGuard (except the
SOHO model) is configured with a multi-core platform and optimized architecture design.
마스터
Core 4 부제목 스타일 편집 Anti-
Spam
NAT Traversal • Supports IPSec in NAT environment that uses private IP.
Dual Line • Supports VPN Line Take Over via ADSL (2 lines or more)
Connects SSL VPN
• Provides high-performance VPN through the equipped
TrusGuard provides a flexible VPN network with enhanced security that meets the client‟s
environment.
TrusGuard effectively prevents the spread of worm/Bot infected from the branch to the HQ system through
powerful IPS-synch function.
TrusGuard allows the flexible setup of VPN network as both IPSec VPN and SSL VPN are supported in the
same appliance.
마스터 제목 스타일 편집
- When connecting SSL VPN, AhnLab Online Security (PC firewall/ Anti-Key logger Program) is automatically
installed, then, the security status of the connected PC is checked to strengthen the internal security of the
enterprise.
AhnLab Online
Security
Backbone Network installation
DMZ SSL VPN Tunnel
Server farm
Malicious
traffic in IPSec VPN Tunnel
University department network VPN Tunnel
TrusGuard
Department A Department B Department C
Branch Z
TrusGuard Features – IPv6 (to be provided in May, 2010)
TrusGuard supports IPv4 & IPv6 dual-stack security setting in real network environment.
TrusGuard provides full security for various network environments where IPv6 is applied.
IPv6 web
server
HQ IPv6
NAT & Logging
Stateful Inspection
Tunneling
마스터 제목 스타일 편집
Zero-Day Attack Prevention Outbreak Prevention Up-to-date & Accurate
• Early prevention of malicious • 2~3 signature updates per day
• Prevents vulnerability estimation.
codes/attacks - Maintains up-to-date signatures.
- Pre-distribution of signature for
- Distributes signature for preventing • Collaboration with internal CERT
predicted ‘vulnerability attack.’
early spreading. (Managed Security Center)
• Microsoft MAPP Partnership • 24*7*365 support
* ASEC : AhnLab Security E-response Center * CERT : Computer Emergency Response Center
Collaboration
• Malware collection & analysis of trend • No. 1 managed security provider in Korea
• Analysis of NW attack trend • Provides managed security service to major
ASEC • Proactive Prevention Acquire & respond to the real-time
CERT clients.
• Writing/Distribution of signature attack/threat information. • Real-time response to NW attack
Phase 1 : Pattern estimation and Phase 2 : Distribution of the Phase 3 : Distribution of the
distribution of the prevention policy early-prevention policy prevention policy for network worm
TrusGuard is very powerful combating various vulnerability attacks and malicious codes.
TrusGuard possesses more than 6,000 security response rules, the largest of any worldwide IPS and,
through ASEC, provides 24*365 monitoring/analysis service, daily 2~3 update service and emergency
response service.
• World‟s largest security response signature (6,000)
* ASEC (AhnLab Security E-response Center) : A specialized unit in AhnLab that provides monitoring/analysis of malwares/attacks, response service and signature writing.
TrusGuard Features – Detection/Block of Zombie Malware
TrusGuard detects zombie malware and prevents infection and spread of zombie malwares.
TrusGuard not only prevents DDoS using Bot but prevents the infection of internal PCs by Bot as well.
Also, even if internal PCs are infected by Bot, TrusGuard protects client‟s network by performing various
operations to prevent the running of Bot.
마스터 제목 스타일 편집
Block malware
spreading point.
마스터 부제목
Block external 스타일 편집
Block internal infection
by Bot. spreading of Bot.
TrusGuard provides the real-time detection/prevention of active zombie malware (Bot) through
synch with ACCESS system based on cloud-computing technology.
The ACCESS-based DDoS monitoring system is AhnLab’s unique monitoring and analysis system for
zombie malwares. With information gathered from 10 million sensors for detecting zombie malwares, it
provides real-time analysis & response service.
Block zombie
malwares.
Enterprise
Prevents spreading of zombie PCs.
TrusGuard Features – ACCESS-synched Prevention of Zombie Malware
Sensor
Applied to TrusGuard
TrusGuard Features - NAC
TrusGuard provides NAC function through synching with end-point security solutions.
TrusGuard is synchronized with V3, an anti-virus product by the same company to…
① prevent access by PCs without APC Agent that performs „V3 installation & up-to-date V3 update.‟
② quarantine infected PCs from internal network and to perform automatic repair. (when using IPS
license)
Though this, TrusGuard prevents the infected PCs from spreading to internal networks and above all, it
마스터 제목 스타일 편집
strongly blocks the activity of zombie malware through synch with DDoS monitoring system.
Headquarter
Core Network DMZ
TrusGuard 1000
Server Farm
Internet
VPN Tunnel
V3 V3 V3 V3 V3 V3 V3 V3
TrusGuard provides strong protection from DDoS attack, a major type of network attack.
TrusGuard is equipped with a special DDoS defense engine, that is delicately phased and currently in
overseas patent-pending.
1st Phase : Runs DDoS detection engine.
- When the certain threshold session is reached, it is judged as a DDoS attack.
2nd Phase : Runs anti-spoofing protection.
마스터 제목 스타일 편집
- Performs filtering of packets that are spoofed through virtual response to TCP connection attempts under attack situation.
3rd Phase : Runs dynamic protection.
- For packets decided as attacks after real-time analysis of packets under attack situation, the rate-limit is applied.
4th Phase : Runs segment protection .
- Performs self-learning of session statistics on connections per source IP segments during the normal time.
- Blocks the IP segment with abnormal session connection after deciding it as attack under attack situation.
5th Phase : Runs HTTP BotNet protection.
- Blocks large volume of HTTP BotNet attacks that occur after connecting to TCP session.
*Financial Supervisory Service (FSS): Korea‟s government agency which monitors and audits all financial institutions operating in Korea, and impose sanctions
against those which violate the financial regulations of the nation.
TrusGuard Feature – Defense against DDoS Attack
TrusGuard provides strong protection from a DDoS attack, a major type of network attack.
TrusGuard is equipped with protection functions against a DDoS attack of various sorts like the list below.
Preventable attack patterns are constantly updated by AhnLab ASEC & the DDoS Special Unit.
Direction Attack Category Attack Type Prevention Type
• TCP SYN Flooding
• TCP SYN Flooding Spoofing
마스터 제목 스타일 편집 •
•
TCP ACK Flooding
TCP ACK Flooding Spoofing
TCP Flooding Attack • TCP NULL Flooding
• TCP NULL Flooding Spoofing
• SYN-ACK Flooding
• RST Flooding
• IP Random Fragment Flag
Inbound • UDP Flooding
• Filtering by the special DDoS
DDoS UDP Flooding Attack • UDP Flooding Spoofing
• IP Random Fragment Flag engine
Attack
TrusGuard uses V3 engine that is proven in worldwide for its superiority in virus filtering.
TrusGuard fully blocks the intrusion of malware to the internal network by utilizing 20 years of virus analysis
technology and DB of V3.
V3 is an internationally acclaimed anti-virus engine which won several international certificates like „VB 100‟
and „Check Mark.‟
마스터 제목 스타일 편집
TrusGuard has a powerful advantage in preventing malware that change in real-time because it uses a
proprietary internal AV engine.
ASEC AhnLab
CDN
V3 engine
INTERNET
Virus/Malware
TrusGuard Features – Anti-Spam
TrusGuard uses a Global Anti-Spam Engine that is used by more than 100 customers worldwide.
TrusGuard features superb spam filtering rate of 97% and a very small false-positive rate
of 1 in 1.5 million.
TrusGuard also provides preemptive filtering function against the “unknown virus” that is distributed via E-
mail.
마스터 제목 스타일 편집
Detection of spam from
130 nations • Powerful spam filtering
“97% spam filtering rate” • Preemptive filtering of
“False-positive rate of 1 unknown E-mail viruses
in 1.5 million”
Spam Detection
마스터 부제목 스타일 편집 Engine
TrusGuard can prevent intrusion by malware to the internal network though blocking access to
not only non-work related websites but malware distribution sites/phishing sites as well. (to be
provided in May, 2010.)
TrusGuard is equipped with its own DB on malware distribution sites that have become major sources of
malware distribution. This DB is updated in real-time to provide up-to-date protection.
마스터 제목 스타일 편집
DMZ
Blocks synch. Non-work
related sites Blocks access to non-work
Server farm DB related websites.
12. Analyzing various security threat events and monitoring & reporting should be available.
TrusGuard UTM provides detection, prevention, and analysis of security events including firewall, IPS,
anti-virus, and anti-spam through a “Single Interface.”
마스터
Firewall 제목 스타일 편집
Log
26
TrusGuard Features – AhnLab TrusGuard Manager
TrusGuard provides the management tool for efficient control of many appliances.
TrusGuard Manager is a management tool for controlling many TrusGuard appliances. Chief among its
major advantages are “user-oriented simple & dynamic UI” and “powerful monitoring function of
management appliances.”
TrusGuard provides the management tool for efficient control of many appliances.
Manager Overview
마스터 제목 스타일 편집
1. You can build a reliable and flexible high-performance network security environment.
• “Prevention
마스터 제목 스타일 편집
of malware spreading among distribution networks” in HQ ③
- By implementing TrusGuard in the front area of segment network, internal spread and
external attack of worm/zombie can be prevented.
Headquarter
Core Network DMZ
Server Farm
Internet
③ TrusGuard 100 ①
TrusGuard 500 TrusGuard 400 TrusGuard 100
Customer Benefits
3. You can build a network environment that is free from external security threats.
1. Establishment of the network environment free from external security threats is possible.
(Continued)
• Three-phased blocking method
protects the network from “unknown
network attacks.”
Phase 1: Update the predictive prevention of
blocking rules before the advent of the worms
마스터 제목 스타일 편집
- Distribution of predictive prevention rules for potential
worms and attacks through OS vulnerability analysis.
- Proactive measures against worm variable patterns
29
Customer Benefits
마스터 제목 스타일 편집
Issue of
Point Solution High costs for Securing
Trouble Shooting Necessary
Adopting the
Risks Solution Issue Operation
Workforce
30
Customer Benefits
[Firewall Only]
Malicious Spam P2P
• Traffic filtering unavailable Code Web
Work surfing
마스터 제목 스타일 편집
• Wide-spread garbage traffic
Traffic
Harmful site
Messenger - Securities
• Compromised network /Gambling
resource efficiency
마스터 제목 스타일○편집
Improved security configuration
• OSPF setting router - Single-core firewalls were removed and TrusGuard 1000 were
• A-A HA setting double-stacked.
TrusGuar
- Active - Active High Availability setting
d - Automatic backup by configuring OSPF setting in redundant router-
security appliance area
○ Benefits
○ Benefits
마스터 부제목 스타일 편집 - Flexible handling of volume increase of multimedia & Internet
contents.
마스터 제목 스타일 편집
L4 switch ○ Improved security configuration
C&C server
마스터
Control 제목
DDoS
Control 스타일○편집
Attacke
r
(Web/Application vulnerability attack, Worm, Bot, Trojan, etc.)
Improved security configuration
Internet
- TrusGuard was deployed as an exclusive DDoS protection
appliance in front of firewall in Internet gateway.
○ Benefits
Branch
Center TrusGuard 50
VPN Local network
D ATM(Integrated
B management)
Branch
Integrated policy
setting <Internet>
Standby
Implementation Case: 00 Gas Station (VPN Network) (2)
- Used an exclusive 256K data line for connection between HQ and gas stations under direct control.
Too expensive when using the exclusive data line.
- No additional system that can respond to security threats were present except the firewall in HQ.
Very vulnerable to worms and malware that are infected from the gas station, then, spread to the entire network
마스터 제목 스타일 편집
○ Improved security configuration
- Using IPSec VPN of TrusGuard, the connection between HQ and stations was configured in gateway-gateway setting.
- On a deployed TrusGuard, the entire functions of firewall, VPN, IPS, AV, anti-spam and website filtering were implemented.
○ Benefits
마스터 부제목 스타일 편집
- The expensive fee for using the exclusive data line was reduced to the level of high-speed Internet broadband lines. Cost-
saving while maintaining security level.
- By running various security functions of TrusGuard, (IPS, Anti-virus, Anti-spam, Blocking harmful website, etc.)
The availability of the station network was ensured by blocking incoming threats at the network level.
By preventing the malware like worm and Bot infected in the station from spreading to internal network through
VPN tunnel,
1) The availability of VPN network between HQ and branches were ensured.
2) The major server systems in HQ can be protected from various security threats.
The synch with the DDoS monitoring system effectively prevents zombie malware from intruding and spreading
to internal network.
Implementation Case: 00 University (End-point Synch Security)
○ Benefits
1) Security domains per school departments were
Backbone Network established.
DMZ - Different security policies per school departments (FW, IPS,
ATM AV, etc.)
Server farm
Internet
TrusGuard is “Korea‟s only network security solution” that is implemented in the IPv6 pilot
network.
6to4 IPv6 RA
tunneling Firewall (Router Advertisement)
IPv6 client
network
마스터 제목 스타일 편집
IPv6 connected IPv4 commercial
network network
6KANet
IPv6 connected Internet
network IPv6
PCs
IPv6 client
IPv6 network
PCs
IPv6 network
In 000 district office
Detailed Functions
마스터 제목 스타일 편집
Route & Transparent Mode supported
Static & Dynamic Routing supported (RIPv1, RIPv2, OSPF)
Source Routing supported
Multicast Routing Protocol (PIM-SM)
802.1Q Vlan, 802.3ad Port Aggregation
Network
DHCP Server/ DHCP Relay (in Bridge mode), DNS/ Split DNS
By-pass function supported
SNMP v1/ v2 supported
NTP supported
SIMS linkage supported
40
Specifications of Major Functions(2/6)
SSL VPN Client System Requirements: Window 2000/ Window XP/ Window Vista, higher than IE 6.0
마스터 제목 스타일 편집
Supports SSL accelerator(Optional)
41
Specifications of Major Functions (5/6)
Website Filtering
- Interface with the database of the Korea Communications Standards Commission and blocking of user-
defined URLs
- User-defined websites filtering supported (wildcard supported)
- Configures exceptions to starting point/destination-based websites filtering
supported proxies : HTTP, POP3, SMTP, FTP, Oracle, DNS, UDP, General TCP
Active-X, JAVA Script, Applet, VB Script, Textrea tag, other tag blocked
Proxy Block a command (FTP, SMTP)
Block a Mail Relay (SMTP)
Block showing internal IP information to outside
42
Specifications of Major Functions (6/6)
Network access control by linking with APC, the V3 anti-virus solution management program
- PCs that do not have APC installed have their internet access controlled and be redirected to an
NAC 마스터 제목 스타일 편집
installation page
- PCs infected with malicious code are quarantined from the network and forcibly repaired by APC
43
Specifications
마스터 제목 스타일 편집
Line-up
Operation Route Mode / Route Mode / Route Mode / Route Mode / Route Mode / Route Mode / Route Mode /
Mode Transparent Mode Transparent Mode Transparent Mode Transparent Mode Transparent Mode Transparent Mode Transparent Mode
CPU Single Dual Dual Dual Quad Quad Exclusive Multi Core
10/100 Switch 4 4 - - - - -
Giga Port
(Copper)
4
마스터 제목 스타일 편집 4 6 4 4 4 8
Giga Port
- - - 2 4 8 8
(Fiber)
2
10G Port - - - - - - (4 ports for expansion,
Copper 1G * 8, except)
Support Bypass Support Bypass Support Bypass Support Bypass Support Bypass Support Bypass Support Bypass
Bypass
(Copper (Copper (Copper) (Copper/ SFP) (Copper/ SFP) (Copper/ SFP) (10G/ SFP)
Firewall
150Mbps 300Mbps 600Mbps 1.2Gbps 2Gbps 4Gbps 20G
Throughput
TrusGuard fully protects your assets through a high-performance firewall/VPN & provides high-
quality security response capability.
Firewall
Usage by
service
Main UI View
Top 10 attacks
Main UI View
Virus
Top 10 viruses
Main UI View
Spam mail
Top 10
Spam mail
Main UI View
Harmful website
Top 10
Filtered
websites
Appendix.
마스터 제목 스타일 편집
ASEC (AhnLab Security E-response Center) is a global security response unit by AhnLab
consisting of the best malware analysts and security experts.
Regular analysis
마스터 부제목 스타일 편집
Monitoring/analysis
information systems for various threats
• ASEC provides detailed information on • ASEC Intelligence NetworkTM
malware and vulnerabilities. Through ASEC • BotNetTM : BotNet information management system
reports, trend on security threats is • WebMonTM : Website monitoring system
provided. • BlueBoxTM : Malware packet gathering system
• Competence analysis system for vulnerability
signature (planned.)
Appendix. ASEC – ASEC Response Process
ASEC (AhnLab Security E-response Center) has been providing powerful security service
through „malware & vulnerability analysis and response process‟ for more than 15 years.
마스터 KT제목ASTAhnLab
스타일 편집
Update
Server
AhnLab
DACOM CDN
SK
INTERNET
Comprehensive threat
Data center/service provider analysis system
New
Security partners
마스터 제목 스타일 편집
Managed N/W threat info. Dangerous URLs
Malicious codes
Smart
Defense
(Government/Overseas)
security
center SiteGuard
CERT ASEC
Heuristic
Monitoring / Response
Game/
Banking
TrusGuard
APC 4.0
SiteGuard
Security SMBs Individual users
Center
V3 365
V3 IS 8.0 V3 MSS SiteGuard
SiteGuard SiteGuard
Mobile Security
Beyond Security, More than Security
Thank you.