Wireless Network Security Palo Alto Networks / Aruba Networks Integration

15/11/13

Wireless Network Security
Palo Alto Networks / Aruba Networks Integration

Today’s Agenda
The Backdrop for Mobile Security
§  Changes in the application landscape
§  State of the art in mobile threats
§  Issues with the current approaches to enterprise security

Aruba Networks / Palo Alto Networks Integration
§  Introduction to the Palo Alto Networks Network Security Platform
§  Integration points with Aruba Networks ClearPass Guest

Resources

2 | ©2012, Palo Alto Networks. Confidential and Proprietary.

1

15/11/13

Mobile Climate and Challenges
Todays
Challenge:

Once
a
user’s
on
the
network,
IT
can’t

control
what
they
can
do
or
access.

Most
organiza<ons
do
not
have
the

security
within
the
infrastructure
to

control
granular
applica<on
level

access
based
on
user
and
device
type.

Need
to
Control:

•  Who
gets
on
the
network

•  What
devices
get
on
the
network

•  What
applica<ons
and
content

those
users
and
devices
can
access

• Page 3 | © 2013 Palo Alto Networks. Proprietary and Confidential.

Challenge: Redefining the IT Service Model
PRE-BYOD
Engineering

Opera0ons

Help
Desk

POST-BYOD
Design
desktop, voice,
network

Build & deploy

Self-selected
devices, apps
& services

User-defined
infrastructure

Support

Self-provision
Self-support

2

15/11/13

Securing Applications

Today’s Typical Network
Applications everyone
needs…

wants to hate…
tends to ignore…
custom tcp

pop3
telnet

custom udp
SMB
ftp
VNC

SSL
snmp
LDAP
Active
Directory

VPN

RDP
encrypted
tunnel

dns

3

15/11/13

Complexity Influencers
APT1
Poison
IVY

Aurora

Complexity
and Risk

SQL
Slammer

SMTP

Applications

Users

Threats


SSL: Security or Evasion?

26% (356) of the applications found can use SSL
8 | ©2012 Palo Alto Networks. Confidential and Proprietary.

Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.

4

15/11/13

SSL/Port 443: The Universal Firewall Bypass
Gozi

Freegate

Rustock

Citadel

TDL-4
Aurora

Ramnit
Bot

tcp/443

Poison IVY
APT1

Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

Port Hopping: Ease of Access or Evading Control?

18% (255) of the applications found can hop ports

5

15/11/13

Managing Ports: A Bad Way to Control Applications
Lync ports to open as recommended by Microsoft

Random, non-contiguous communication ports and protocols
…… accessed by distributed workforce with different security risk profiles


Threats to Wireless Networks

6

15/11/13

The Basics on Threat Prevention
Threat

What
it
is

What
it
does

Exploit

Bad
applica<on
input

usually
in
the
form

of
network
traﬃc.

Targets
a

vulnerability
to

hijack
control
of
the

target
applica<on
or

machine.

Malware

Malicious
applica<on
Anything
–

or
code.

Downloads,
hacks,

explores,
steals…

Command
and

Control
(C2)

Network
traﬃc

generated
by

malware.

Keeps
the
remote

aVacker
in
control

ands
coordinates
the

aVack.

Modern Attacks Are Coordinated

1
Bait
the

end-‐user

End-‐user

lured
to
a

dangerous

applica<on
or

website

containing

malicious

content

2

3

4

5

Exploit

Download

Backdoor

Establish

Back-‐Channel

Explore

&
Steal

Infected

content

exploits
the

end-‐user,

oYen
without

their

knowledge

Secondary

payload
is

downloaded

in
the

background.

Malware

installed

Malware

establishes
an

outbound

connec<on
to

the
aVacker

for
ongoing

control

Remote

aVacker
has

control
inside

the
network

and
escalates

the
aVack


7

15/11/13

Mobile Malware: DPlug

TTPod App in Google Play

Vic0m

In-App Purchase
Dplug Malware
Sends IMSI / IMEI via SMS
Confirm?
Accept

Premium SMS Billing

Premium
SMS

DPlug

Forged
Subscribe

AVacker

Hidden
within SSL

New domain
has no
reputation

Payload
designed to
avoid AV

Non-standard
port use evades
detection

Exploit Kit

Malware From
New Domain

ZeroAccess
Delivered

C2
Established

Data Stolen

Custom C2
& Hacking

Spread
Laterally

Secondary
Payload

RDP & FTP
allowed on the
network

Custom
malware = no
AV signature

Internal traffic is
not monitored

Custom protocol
avoids C2
signatures


8

15/11/13

Palo Alto Networks
Network Security Platform

Enabling Applications, Users and Content


9

15/11/13

Applications Have Changed, Firewalls Haven’t

Network security policy is enforced
at the firewall
•  Sees all traffic
•  Defines boundary
•  Enables access
Traditional firewalls don’t work any
more

Applications: Threat Vector and a Target

Threats target applications
• 
• 

Used as a delivery mechanism
Application specific exploits


10

15/11/13

Applications: Payload Delivery/Command & Control

Applications provide exfiltration
• 
• 

Confidential data
Threat communication


Encrypted Applications: Unseen by Firewalls

What happens traffic is encrypted?
• 
• 

SSL
Proprietary encryption


11

15/11/13

Technology Sprawl and Creep Aren’t the Answer
•  “More stuff” doesn’t solve the problem
•  Firewall “helpers” have limited view of traffic
•  Complex and costly to buy and maintain
•  Doesn’t address application control challenges

UTM

Internet

IPS

DLP

IM

AV

URL

Proxy

Enterprise
Network


Making the Firewall a Business Enablement Tool
§  Applications: Safe enablement begins with
application classification by App-ID.

§  Users: Tying users and devices, regardless of
location, to applications with User-ID and
GlobalProtect.

§  Content: Scanning content and protecting
against all threats – both known and unknown;
with Content-ID and WildFire.


12

15/11/13

•  Network

segmenta0on

•  Based
on

applica<on
and

user,
not
port/IP

•  Simple,
flexible

network
security

•  Integra<on
into

all
DC
designs

•  Highly
available,

high

performance

•  Prevent
threats

Distributed
Enterprise

•  App
visibility
and

control
in
the

firewall

•  All
apps,
all

ports,
all
the

<me

•  Prevent
threats

•  Known
threats

•  Unknown/
targeted

malware

•  Simplify
security

infrastructure

Data
Center

Perimeter

NGFW in The Enterprise Network

•  Consistent

network
security

everywhere

•  HQ/branch

offices/remote

and
mobile

users

•  Logical
perimeter

•  Policy
follows

applica<ons
and

users,
not

physical
loca<on

•  Centrally

managed


Strategy for Protecting the Network
Everything must go in the funnel

Reduce the attack surface

Block everything you can

Test and adapt to unknowns

•  HTTP or all
protocols?

•  20% of traffic
encrypted by
SSL"

•  Non-standard
ports and
tunneled traffic

Investigate and cleanup


13

15/11/13





•  High risk
applications
and features"

•  Block ﬁles
from unknown
domains"

•  Find and
control custom
trafﬁc





•  Exploits,
malware, C2

•  Variants and
polymorphism



•  DNS, URLs,
malicious
clusters



14

15/11/13





•  Behavioral and
anomaly
analysis"

•  Automatically
create and
deliver
protections"

•  Share globally





•  Events in app
and user
context"


•  Share
indicators of
compromise"


•  Integrate with
end-point
security"

•  Feed the SIEM



15

15/11/13

An Integrated Approach to Threat Prevention
Bait
the
end-‐user

Apps

Exploit

Download
Backdoor

Command/Control
(C2)

Block high-risk
apps
Block known
malware sites

URL

Block C2 on
open ports
Block fast-flux,
bad domains

IPS

Block the
exploit

Spyware

Block spyware,
C2 traffic

AV

Block malware

Files

Prevent driveby-downloads

Modern

Malware

Detect 0-day
malware

Block new C2
traffic


Mobile App Analysis
App Collection

App Analysis

Protection and
Enforcement

App Stores

WildFire
GlobalProtect
Gateway

Malware
Signatures

URL and DNS
usage

Manual
Submission
Integration with
SIEM
API


16

15/11/13

Integration Points

Integration with wireless infrastructure

Iden<fy
and

authen<cate
who

and
what
gets
on
the

network

Protect
network

based
on

applica<on,
user
and

content

17

15/11/13

ClearPass and Palo Alto Networks
Palo
Alto
Networks

Aruba
MOVE
&

ClearPass

Context:

Mobility
Network

Services

•  Core
AAA,
NAC

•  Device
Proﬁling

•  Guest
+
BYOD

•  Exchange
rich

endpoint
context

•  Trigger
real-‐<me,

intelligent

network
policies

•  Extendable

architecture

Next
Genera0on
Firewall

•  L7+
Applica<on
FW

•  Content
Security

•  Threat
Protec<on

Securing the Wireless with Palo Alto Networks
Guests

Employee
Asset

Next-‐Genera0on

Firewall

Contractor


18

15/11/13

Aruba Integration
§  Feed User-ID Data
§  Centralized Username to IP address mapping
§  No software agents required, support multiple identity stores
§  Rich visibility and reporting for compliance

§  Endpoint/Device Context
§  Feed device context to PAN eg. iPad, Android Phone
§  Enable policy enforcement based on new device context
§  Extensible schema allows adding more context to endpoint data

§  Centralized Identity Store
§  FW admin authentication using Radius
§  Provide services for VPN authentication
XML

ClearPass
Policy
Manager

AAA

Palo
Alto
Networks

User-ID Architecture

19

15/11/13

Integration Points


ClearPass Configuration

20

15/11/13

Assigning Security Policies Based on Device Type
§  ClearPass Guest Fingerprints devices as they
authenticate to the wireless environment
§  Palo Alto Networks integration shares the device
fingerprint
§  Palo Alto Networks maps the device to a dynamic
address object
§  Network security policy follows the device


How the Integration Works – From ClearPass


21

15/11/13

How the Integration Works – To Palo Alto Networks

To Palo Alto
Networks

Resources

22

15/11/13

Collateral – Tech Note
hVp://www.arubanetworks.com/aruba-‐partners/ecosystem-‐partners/


23

Wireless Network Security Palo Alto Networks / Aruba Networks Integration

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Wireless Network Security Palo Alto Networks / Aruba Networks Integration

Similar a Wireless Network Security Palo Alto Networks / Aruba Networks Integration (20)

Más de Aruba, a Hewlett Packard Enterprise company

Más de Aruba, a Hewlett Packard Enterprise company (20)

Último

Último (20)

Wireless Network Security Palo Alto Networks / Aruba Networks Integration