Training on

Unified Threat Management Systems & SSL VPN (SaaS)

By Amarjit Singh & Rishabh Dangwal Tulip Telecom Ltd.

Objectives
Security awareness Latest trends in security Device Awareness

Saving the world before bedtime, without worries :P

The notion of providing Security as a Service

We as an ISP have a tough enough job already.. But..

What about Security threats? How serious are they? Hackers are there..where are We ? What is the most effective and cost

efficient way to handle them?

Current Trends
Cyber-attacks are increasing in speed and sophistication

exponentially
Blended threats, hybrid attacks and APTs.. Getting automated tools is easy, increase in skid culture Security costs money, Security problems cost money, time and lots

of pain.

Attack Sophistication vs. Intruder Technical Knowledge

Courtesy Emil on security

Auto Coordinated Cross site scripting stealth / advanced scanning techniques packet spoofing denial of service

High

Staged

sniffers
Intruder Knowledge sweepers

distributed attack tools www attacks automated probes/scans GUI

back doors disabling audits network mgmt. diagnostics hijacking burglaries sessions Attack Sophistication exploiting known vulnerabilities

password cracking
self-replicating code

Low
1980

password guessing

Intruders
1995 2011

1985

1990

Software Vulnerabilities
99% of intrusions result from exploitation of known

vulnerabilities
Source: 2001 CERT, Carnegie Mellon University

Cause: programming bugs, bad testers, short sighted

development
Threat: lack of patches for the above Lizamoon SQLi exploited 1.5 million + hosts

E-mail Viruses
Primary medium for distributing threats Trojans Easy to create, quick to deliver, easy

to install
HTML viruses on email Innocent sounding Emails having malicious

attachments containing: Macros, VB scripts, java scripts and html scripts

File Based Threats

Example: Internet download

Viruses and malicious code infection:

P2P/Torrent IM applications Free software/shareware sites

Infected servers
Email

Threats bypass stateful packet inspection

firewalls
Once inside the network, others are

easily affected

Further..
Unpatched servers are ticking bombs

Viruses uploaded to network drives

Remote exploitation possible Nimda virus

And we have got Spyware..

Program that uses Internet without the Users knowledge
Approximately 80% of computers have some form of

Spyware (including corporate ones)

Spread using shareware, pop ups,p2p,shareware..the usual

suspects
Gathering information:

Browsing habits (sites visited, links clicked, etc.) Data entered into forms (including account names, passwords, text of Web forms and Web-based email, etc.) Key stokes and work habits

Spam
Unsolicited Email Multiple techniques to send mails Spoof email address
Image only mail Random text Text merging Token Manipulation URL hiding HTML Tag corruption Increase False positives Parse corruption

Metamorphic Spam Trojans

And much much more..

Leads to low productivity and server outages.

Network woes
Label spoofing Core hiding Replay attacks

Compromise of LIB
Access to LER And other MPLS security issues..

Router abuse
TACACS+ forced session_id collisions Sophisticated Packet body DOS Boot ios manipulation Improper tcl scripts (if present)

External factors
SNMP compromise

And its just the Tip of Iceberg

(a.k.a Raising the Attack Standards by a Notch)

Sophisticated DOS (Network,

application)
Advanced Persistent Threats Smartphone Abuse

Certificate abuse (DigiNotar -

PKIOverheid..)
Key abuse (RSA, anyone ?) Kernel Rootkits/Bootkits

Obsolete Defenses
Firewalls work on port blocking strategy Reactive approach Stateful Packet Inspection (SPI) :
Provides source / destination / state

intelligence
Provides NAT Stateful firewalls cannot protect against

multilayer threats
Is limited in nature

How TULIP can provide security ?

SaaS Security as a Service
SSL-VPN Unified Threat Management

Concept - SSL VPN

What is SSL VPN TECHNOLOGY?
Secure Sockets Layer (SSL) virtual private networks (VPN) provide secure remote access to an organizations resources. A VPN is a virtual network, built on top of existing physical networks, that can provide a secure communications mechanism for data and other information transmitted between two endpoints. Because a VPN can be used over existing networks such as the Internet, it can facilitate the secure transfer of sensitive data across public networks.

The Landscape with SSL VPN

Why SSL VPN

SSL VPN solutions offer a flexible and highly secure way to extend network resources to virtually any remote user with access to the Internet and a web browser. Organizations can customize access and extend the reach of their corporate network to individuals based on their role, including the teleworker, contractor, or business partner.

Business challenge for EMS

Maximize employee productivity with access.

The solution to be commerciall y attractive.

Enforce strict security standards

The Landscape with Tulip Managed SSL

Complete Client-side Cleanup

Cleanup of end users system

at end of session. Configurable options of cache cleanup includes.

Cookies Temporary Internet Files Browser History Visited URLs Downloaded Program Files

Cleanup all traces of users

access and data downloaded at the end of session.

Authentication Mechanisms
Vast range of Authentication

mechanisms to choose from Supported Authentication mechanisms

Local Database RADIUS Active Directory (AD) LDAP RSA Secure ID Certificate based Authentication. Biometrics. SMS

Two-Factor or Multi-Factor

Authentication

Support for One Time Password (OTP)

and Public Key Infrastructure (PKI) Tokens

End-point compliance
SSL VPN End-point security service - Check devices before & during session - Ensure device compliance with corporate policy - Remediate devices when needed - Cross platform support

Virus

Home PC User

- No Anti-Virus Installed - Personal Firewall enabled - User remediated install antivirus - Once installed, user granted access

- No anti-virus installed - No personal firewall - User granted minimal access

Airport Kiosk Mobile User

Managed PC User

- AV Real-Time Protection running - Personal Firewall Enabled - Virus Definitions Up To Date - User granted full access

End Point Security & DLP

Access options with SSL VPN

There are Three different access options with SSL VPN
PHAT : Private Hyper Access Transport QAT : Quick Access Terminal WAT : Web Access Terminal

Access options with SSL VPN

What is WAT

Web Access Terminal (WAT) is clientless access modes where user needs just a browser to establish SSL VPN connection. Using WAT user can access web applications such as Outlook Web Access (OWA), Intranet, Share Point, web-based databases, etc from any location like Airport kiosk, Cyber Caf, etc.
What is PHAT

Private Hyper Access Transport (PHAT) is one of the modes to access the Virtual Private Network (VPN). Its small footprint web deployed software that gets installed on users machine. PHAT client provide IPSec like functionality to give full access to network.
What is QAT

Quick Access Terminal (QAT) is an intermediate client between the PHAT Client and the WAT Client. The users can access TCP based client applications without installing PHAT on their machines. Once configured by the Administrator for a particular group, QAT is started from the web portal.

Tunneling modes Split tunnel: Application traffic

targeted specifically for VPN subnets is routed over SSL VPN tunnel to SSL VPNPlus Gateway. Rest of the traffic flows follows normal LAN path.

sent to SSL VPN-Plus Gateway over SSL VPN tunnel for routing. In this case, complete data from users machine can be monitored on SSL VPN-Plus Gateway. If local subnets are not excluded for user, the user wont be able to access local LAN also.

Full tunnel: All Application traffic is

Scenario 1 Alternate Backup Link

SSL Server www
ADSL Link

Tulip IDC

X
Tulip Connect MPLS Backbone Remote Location

ERP Servers Central Location

Scenario 2 Instant Connectivity SSL Server Remote Customer Location Tulip Connect ADSL Link Not yet Installed Or getting delayed Remote (TNF) Location Customer Location Ready

www

Tulip IDC

Tulip Connect MPLS Backbone

ERP Servers 30 Central Location

Scenario 3 Extranet Connectivity SSL Server

www

Tulip IDC
Primary Link

Dealer Locations

Tulip Connect MPLS Backbone Remote Location

ERP Servers 31 Central Location

Scenario 4 Enterprise Mobility

SSL Server

www
Roaming Executives

Tulip IDC
Cyber Cafe Primary Link Tulip Connect MPLS Backbone User Moves Out

Remote Location ERP Servers

32 Central Location

User

The New Standard - UTM

Unified Threat Management / eXtensible Threat

Management
Integration of Firewall
Deep Packet Inspection
Intrusion Prevention for blocking network threats Anti-Virus for blocking file based threats Anti-Spyware for blocking Spyware

Faster updates to the dynamic changing threat environment

and elimination of False Positives

Multilayered security
Inhouse / Multivendor Approach

Spans Through 6 layers of OSI model

QOS and ACL implementation

Application Specific Integrated Circuits (ASICs) Network and

Coprocessors for dedicated tasks Evolved security

Deep Packet Inspection- Unified Threat Mgt.

PRO Series as a Prevention Solution
Full L2-7 signaturebased inspection Application awareness

Zone based security

Protect internally

Gateway Anti-Virus
Scan through unlimited files sizes Scan through unlimited connections Scan over more protocols than any similar solution

PS/GAV Dynamic Updates

Anti-Spyware for protection against

DPI

malicious programs
Blocks the installation of spyware Blocks Spyware that is emailed and sent internally

Applications Layer Threat

DPI

DPI

Protection:
Full protection from Trojan, worm, blended and polymorphic threats

Dept Zone

Server Zone

DPI: Intrusion Prevention /Gateway AV/ Anti-Spy

User Zone

Diagram courtesy Sonicwall

Security Must Be Updated

Signature Database
ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MSSQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

AV Database IPS Database Spy Database Content Filtering Database

Stateful inspection deals with only port scanning, no data is examined. Deep Packet Inspection with Intrusion Prevention can find and block, application vulnerabilities, worms or Trojans.
Stateful Packet Inspection Deep Packet Inspection Gateway Anti-Virus Anti-Virus Anti-Spyware Content Content Filtering Inspection Service

Firewall Traffic Path

Diagram courtesy Sonicwall

The 10 Defense Layers to Fight Spam

High performance Easily scalable

Image courtesy Sonicwall

Unified Threat Management Appliance

Firewall VPN Basic bandwidth Management Gateway AV, Intrusion Content Filtering Reporting & Reverse monitoring Secure Wireless High Availability - Appliance ISP Load Balancing/Failover Central Management Secured MPLS by MSSP (and

Prevention and Anti-spyware Modified for Router monitoring by combining with MSSP Trusted Certificate Management

link termination)

Deep , Dynamic, Real-Time Protection

Real time threat scanning engine at the gateway
AV/AS/IDS/IPS Protection from: Viruses, spyware, worms, trojans, app vulnerabilities External and Internal protection

Reassembly-free engine
Scans & decompresses unlimited number of files & file sizes

Supports over 80 protocol types including

SMTP, IMAP, POP3 Email, HTTP Web, FTP File Transfer Peer to Peer Transfers, NetBios Intra LAN Transfers, any stream-based protocol

Updateable database by an expert signature team

DOS protection from 22 types of DOS attacks

Application DOS prevention using EPS monitoring MSSP convergenace

Value Innovation Philosophy

Affordable
Reduces the Total cost of ownership

Simple
Unified AIO solution and easy to manage

Powerful
Integrated-Realitime-Dynamic

Thank You.

Questions ?