Más contenido relacionado La actualidad más candente (20) Similar a Wireless Network Security Palo Alto Networks / Aruba Networks Integration (20) Más de Aruba, a Hewlett Packard Enterprise company (20) Wireless Network Security Palo Alto Networks / Aruba Networks Integration1. 15/11/13
Wireless Network Security
Palo Alto Networks / Aruba Networks Integration
Today’s Agenda
The Backdrop for Mobile Security
§ Changes in the application landscape
§ State of the art in mobile threats
§ Issues with the current approaches to enterprise security
Aruba Networks / Palo Alto Networks Integration
§ Introduction to the Palo Alto Networks Network Security Platform
§ Integration points with Aruba Networks ClearPass Guest
Resources
2 | ©2012, Palo Alto Networks. Confidential and Proprietary.
1
2. 15/11/13
Mobile Climate and Challenges
Todays
Challenge:
Once
a
user’s
on
the
network,
IT
can’t
control
what
they
can
do
or
access.
Most
organiza<ons
do
not
have
the
security
within
the
infrastructure
to
control
granular
applica<on
level
access
based
on
user
and
device
type.
Need
to
Control:
• Who
gets
on
the
network
• What
devices
get
on
the
network
• What
applica<ons
and
content
those
users
and
devices
can
access
• Page 3 | © 2013 Palo Alto Networks. Proprietary and Confidential.
Challenge: Redefining the IT Service Model
PRE-BYOD
Engineering
Opera0ons
Help
Desk
POST-BYOD
Design
desktop, voice,
network
Build & deploy
Self-selected
devices, apps
& services
User-defined
infrastructure
Support
Self-provision
Self-support
2
3. 15/11/13
Securing Applications
Today’s Typical Network
Applications everyone
needs…
Applications everyone
wants to hate…
Applications everyone
tends to ignore…
custom tcp
pop3
telnet
custom udp
SMB
ftp
VNC
SSL
snmp
LDAP
Active
Directory
VPN
RDP
encrypted
tunnel
dns
3
4. 15/11/13
Complexity Influencers
APT1
Poison
IVY
Aurora
Complexity
and Risk
SQL
Slammer
SMTP
Applications
Users
Threats
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
SSL: Security or Evasion?
26% (356) of the applications found can use SSL
8 | ©2012 Palo Alto Networks. Confidential and Proprietary.
Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.
4
5. 15/11/13
SSL/Port 443: The Universal Firewall Bypass
Gozi
Freegate
Rustock
Citadel
TDL-4
Aurora
Ramnit
Bot
tcp/443
Poison IVY
APT1
Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?
9 | ©2013 Palo Alto Networks. Confidential and Proprietary.
Port Hopping: Ease of Access or Evading Control?
18% (255) of the applications found can hop ports
10 | ©2012 Palo Alto Networks. Confidential and Proprietary.
5
6. 15/11/13
Managing Ports: A Bad Way to Control Applications
Lync ports to open as recommended by Microsoft
Random, non-contiguous communication ports and protocols
…… accessed by distributed workforce with different security risk profiles
11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Threats to Wireless Networks
6
7. 15/11/13
The Basics on Threat Prevention
Threat
What
it
is
What
it
does
Exploit
Bad
applica<on
input
usually
in
the
form
of
network
traffic.
Targets
a
vulnerability
to
hijack
control
of
the
target
applica<on
or
machine.
Malware
Malicious
applica<on
Anything
–
or
code.
Downloads,
hacks,
explores,
steals…
Command
and
Control
(C2)
Network
traffic
generated
by
malware.
Keeps
the
remote
aVacker
in
control
ands
coordinates
the
aVack.
Modern Attacks Are Coordinated
1
Bait
the
end-‐user
End-‐user
lured
to
a
dangerous
applica<on
or
website
containing
malicious
content
2
3
4
5
Exploit
Download
Backdoor
Establish
Back-‐Channel
Explore
&
Steal
Infected
content
exploits
the
end-‐user,
oYen
without
their
knowledge
Secondary
payload
is
downloaded
in
the
background.
Malware
installed
Malware
establishes
an
outbound
connec<on
to
the
aVacker
for
ongoing
control
Remote
aVacker
has
control
inside
the
network
and
escalates
the
aVack
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
7
8. 15/11/13
Mobile Malware: DPlug
TTPod App in Google Play
Vic0m
In-App Purchase
Dplug Malware
Sends IMSI / IMEI via SMS
Confirm?
Accept
Premium SMS Billing
Premium
SMS
DPlug
Forged
Subscribe
AVacker
Hidden
within SSL
New domain
has no
reputation
Payload
designed to
avoid AV
Non-standard
port use evades
detection
Exploit Kit
Malware From
New Domain
ZeroAccess
Delivered
C2
Established
Data Stolen
Custom C2
& Hacking
Spread
Laterally
Secondary
Payload
RDP & FTP
allowed on the
network
Custom
malware = no
AV signature
Internal traffic is
not monitored
Custom protocol
avoids C2
signatures
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
8
9. 15/11/13
Palo Alto Networks
Network Security Platform
Enabling Applications, Users and Content
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
9
10. 15/11/13
Applications Have Changed, Firewalls Haven’t
Network security policy is enforced
at the firewall
• Sees all traffic
• Defines boundary
• Enables access
Traditional firewalls don’t work any
more
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Applications: Threat Vector and a Target
Threats target applications
•
•
Used as a delivery mechanism
Application specific exploits
20 | ©2012, Palo Alto Networks. Confidential and Proprietary.
10
11. 15/11/13
Applications: Payload Delivery/Command & Control
Applications provide exfiltration
•
•
Confidential data
Threat communication
21 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Encrypted Applications: Unseen by Firewalls
What happens traffic is encrypted?
•
•
SSL
Proprietary encryption
22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
11
12. 15/11/13
Technology Sprawl and Creep Aren’t the Answer
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application control challenges
UTM
Internet
IPS
DLP
IM
AV
URL
Proxy
Enterprise
Network
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Making the Firewall a Business Enablement Tool
§ Applications: Safe enablement begins with
application classification by App-ID.
§ Users: Tying users and devices, regardless of
location, to applications with User-ID and
GlobalProtect.
§ Content: Scanning content and protecting
against all threats – both known and unknown;
with Content-ID and WildFire.
24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
12
13. 15/11/13
• Network
segmenta0on
• Based
on
applica<on
and
user,
not
port/IP
• Simple,
flexible
network
security
• Integra<on
into
all
DC
designs
• Highly
available,
high
performance
• Prevent
threats
Distributed
Enterprise
• App
visibility
and
control
in
the
firewall
• All
apps,
all
ports,
all
the
<me
• Prevent
threats
• Known
threats
• Unknown/
targeted
malware
• Simplify
security
infrastructure
Data
Center
Perimeter
NGFW in The Enterprise Network
• Consistent
network
security
everywhere
• HQ/branch
offices/remote
and
mobile
users
• Logical
perimeter
• Policy
follows
applica<ons
and
users,
not
physical
loca<on
• Centrally
managed
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Strategy for Protecting the Network
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
• HTTP or all
protocols?
• 20% of traffic
encrypted by
SSL"
• Non-standard
ports and
tunneled traffic
Investigate and cleanup
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
13
14. 15/11/13
Strategy for Protecting the Network
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
• High risk
applications
and features"
• Block files
from unknown
domains"
• Find and
control custom
traffic
Investigate and cleanup
27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Strategy for Protecting the Network
Everything must go in the funnel
Reduce the attack surface
• Exploits,
malware, C2
• Variants and
polymorphism
Block everything you can
Test and adapt to unknowns
• DNS, URLs,
malicious
clusters
Investigate and cleanup
28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
14
15. 15/11/13
Strategy for Protecting the Network
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
• Behavioral and
anomaly
analysis"
• Automatically
create and
deliver
protections"
• Share globally
Investigate and cleanup
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Strategy for Protecting the Network
Everything must go in the funnel
Reduce the attack surface
• Events in app
and user
context"
Block everything you can
• Share
indicators of
compromise"
Test and adapt to unknowns
• Integrate with
end-point
security"
• Feed the SIEM
Investigate and cleanup
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
15
16. 15/11/13
An Integrated Approach to Threat Prevention
Bait
the
end-‐user
Apps
Exploit
Download
Backdoor
Command/Control
(C2)
Block high-risk
apps
Block known
malware sites
URL
Block C2 on
open ports
Block fast-flux,
bad domains
IPS
Block the
exploit
Spyware
Block spyware,
C2 traffic
AV
Block malware
Files
Prevent driveby-downloads
Modern
Malware
Detect 0-day
malware
Block new C2
traffic
31 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Mobile App Analysis
App Collection
App Analysis
Protection and
Enforcement
App Stores
WildFire
GlobalProtect
Gateway
Malware
Signatures
URL and DNS
usage
Manual
Submission
Integration with
SIEM
API
32 | ©2013, Palo Alto Networks. Confidential and Proprietary.
16
18. 15/11/13
ClearPass and Palo Alto Networks
Palo
Alto
Networks
Aruba
MOVE
&
ClearPass
Context:
Mobility
Network
Services
• Core
AAA,
NAC
• Device
Profiling
• Guest
+
BYOD
• Exchange
rich
endpoint
context
• Trigger
real-‐<me,
intelligent
network
policies
• Extendable
architecture
Next
Genera0on
Firewall
• L7+
Applica<on
FW
• Content
Security
• Threat
Protec<on
Securing the Wireless with Palo Alto Networks
Guests
Employee
Asset
Next-‐Genera0on
Firewall
Contractor
36 | ©2012, Palo Alto Networks. Confidential and Proprietary.
18
19. 15/11/13
Aruba Integration
§ Feed User-ID Data
§ Centralized Username to IP address mapping
§ No software agents required, support multiple identity stores
§ Rich visibility and reporting for compliance
§ Endpoint/Device Context
§ Feed device context to PAN eg. iPad, Android Phone
§ Enable policy enforcement based on new device context
§ Extensible schema allows adding more context to endpoint data
§ Centralized Identity Store
§ FW admin authentication using Radius
§ Provide services for VPN authentication
XML
ClearPass
Policy
Manager
AAA
Palo
Alto
Networks
User-ID Architecture
19
21. 15/11/13
Assigning Security Policies Based on Device Type
§ ClearPass Guest Fingerprints devices as they
authenticate to the wireless environment
§ Palo Alto Networks integration shares the device
fingerprint
§ Palo Alto Networks maps the device to a dynamic
address object
§ Network security policy follows the device
41 | ©2013, Palo Alto Networks. Confidential and Proprietary.
How the Integration Works – From ClearPass
42 | ©2012, Palo Alto Networks. Confidential and Proprietary.
21
22. 15/11/13
How the Integration Works – To Palo Alto Networks
To Palo Alto
Networks
43 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Resources
22
23. 15/11/13
Collateral – Tech Note
hVp://www.arubanetworks.com/aruba-‐partners/ecosystem-‐partners/
45 | ©2012, Palo Alto Networks. Confidential and Proprietary.
23