The document discusses how the internet has become more complex with the rise of unified communications, collaboration tools, and social networking. It notes that information leakage is a top concern for IT professionals. The document also outlines requirements for securely enabling new internet applications, including visibility and control of real-time apps, comprehensive malware protection, and granular policy enforcement. FaceTime's unified security gateway aims to meet these requirements through application identification, inspection, policy enforcement, and archiving capabilities.
2. The Internet has Changed and getting more Complex (from text & file sharing to Unified Communications and Collaboration) Capabilities Network Behavior IM IM Aggregators Public IM VoIP Web Conferencing File Sharing Video Multimedia Text Chat Evasive Good Anonymizers Unified Communications Social Networking
3.
4.
5.
6.
7.
8.
9. Which Present Significant Risks When Unmanaged Information Leakage Increasingly Complex Viruses, Malware, SPIM Inappropriate Content Commercially Motivated Intellectual Property Credit Card #, Personal Data, Social Security / NI # Employee Productivity Corporate AUP SEC 17a, FSA, HIPAA, SOX, GLBA, NASD, MiFiD Compliance and eDiscovery Bandwidth Explosion / Cost
18. The USG Family – Small Business to Large Enterprise USG1030 USG220 USG320 USG530 Performance 250 1,000 5,000 Max Users Corporate Headquarters Max Throughput 100Mbps 200Mbps 400Mbps 10,000 600Mbps Small Business & Remote Offices
19.
20.
21. FaceTime is Mission Critical for Today’s Enterprises Over 1,500 customers and 7+ Million seats deployed Financial Services & Insurance Manufacturing & Consumer Technology & Telecommunications Energy & Healthcare
24. USG: Purpose-built for the New Internet Identification Inspection Enablement Application Control Engine™ Application Identification Uses well-defined port/ protocol for IM Application Activity User traffic For User: Joe in Sales Allow only native MSN & within IM allow only PDF file transfers after AV scanning However, uses P2P protocol for file transfer within IM Policy Enforcement & Logging Packet Assembly Granular Policy Control Application Activity Identifier Signature Analysis Behavioral Analysis Port/Protocol Analysis
25.
26. USG: Optimized For Skype Identification Inspection Enablement Application Identification Port hopping Random session behavior Application Activity User traffic For User: John in Marketing Allow Skype only for users in marketing group Policy Enforcement & Logging Greynet Dissector Packet Assembly Granular Policy Control Application Activity Identifier Signature Analysis Behavioral Analysis Port/Protocol Analysis Identify users
27. USG: Optimized For Greynets – Public IM Application Identification Uses well-defined port/ protocol for IM Application Activity User traffic For User: Joe in Sales Allow only native MSN & within IM allow only PDF file transfers after AV scanning However, uses P2P protocol for file transfer within IM Policy Enforcement & Logging Identification Inspection Enablement Greynet Dissector Packet Assembly Granular Policy Control Application Activity Identifier Signature Analysis Behavioral Analysis Port/Protocol Analysis
28.
29. Example Policies for Internet Apps Application / Policy Allow/ Block Groups Content Control Time of Day Quota Max Bandwidth MSN Allow ALL AV, ILP, Logging ALL ALL ALL GoogleTalk Allow LEGAL AV, ILP, Logging 8am - 6pm All ALL All other IM Block NONE N/A N/A N/A N/A Skype Allow SALES N/A ALL ALL 1% BitTorrent Allow IT N/A ALL 4 hours 2% All other P2P Block NONE N/A N/A N/A N/A IPTV Block NONE N/A N/A N/A N/A Anonymisers Block NONE N/A N/A N/A N/A Webex Allow ALL N/A 8am - 6pm 4 hours 2% All other Web Conf Block NONE N/A N/A N/A N/A
30.
Notas del editor
Facebook. Adding 1000 apps per month; 2000 are messaging related A major investment bank customer of ours estimates over 50% have a facebook acct Bell Canada has over 2000 employees using FaceBook
New generation of Internet users are coming into our organization. A recent Survey
When speaking to key administrators during the survey the following were of concern: Brand awareness Productivity of Staff – to much social activity Security – backdoor attacks via Malware / Worms – unsecured P2P and IM channels Information Leakage biggest concern
Inbound Threats: Productivity Loss Broad new vectors for Malware distribution (Viruses, Worms, Spyware & Rootkits) Outbound Threats: Information Leakage Create holes for corporate & user information leakage Intellectual property loss User privacy concerns Corporate and Regulatory Non – Compliance Exposure : Invisible information channels Legal & Financial Risks
Gaps in other security products – talk here
FTOS: Purpose built for greynet applications Hardening the Linux shell Regulating the use of ports Preventing remote connections to the OS Greynet Traffic Detection: HTTP and real-time communication applications Detect applications that are port/channel agnostic, tunnel through HTTP, etc. Total visibility of all Internet traffic Policy Enforcement Engine Set, enforce polices and manage access for all channels Set and enforce policies at company, group and user levels for HTTP Centralized Management and Reporting Easy to use browser based management interface for all Internet channels Pre-defined and custom report generation capability Integration with 3rd party reporting applications
09/08/09
Port Tunneling Enables the masquerading of IM/P2P traffic over popular protocols such as HTTP, Telnet, FTP which are typically allowed through Firewalls for business applications Application Level Firewalls can perform limited inspection for basic IM and P2P protocols, but keeping up with proprietary implementations is a challenge Random Session Behavior / Port Hopping Exhibit a non-deterministic behavior to bypass access-control policies on traditional security devices that look for applications on “well-known” ports Security administrators need complete knowledge of all the ports on which the application can “hop” over, and keep up with the increasing sophistication of these applications Onion Routing The goal of Onion Routing (OR) is to protect the privacy of the sender and recipient of a message, while also providing protection for message content as it traverses a network. Onion Routing accomplishes this according to the principle of Chaum's Mix Cascades : messages travel from source to destination via a sequence of proxies ("onion routers"), which re-route messages in an unpredictable path. To prevent an adversary from eavesdropping on message content, messages are encrypted between routers. The advantage of Onion Routing (and Mix Cascades in general) is that it is not necessary to trust each cooperating Router; if one or more routers are compromised, anonymous communication can still be achieved. This is due to the fact that each Router in an OR network accepts messages, re-encrypts them, and transmits to another Onion Router. An attacker with the ability to monitor every Onion Router in a network might be able to trace the path of a message through the network, but an attacker with more limited capabilities will have difficulty even if he or she controls one or more Onion Routers on the message's path. Encryption Ensures privacy of message contents between end-points Bypasses traditional security measures
Incoming traffic packets are captured and reassembled for further analysis by the Traffic Analyzer. (This part is similar to any network security device) Once reassembled, the traffic goes through the App Dissector Engine – this is our secret sauce. This engine includes two processes: The traffic goes through signature, behavioral and protocol analyses to identify the application. This is where app is identified based on ports/protocols and the behavior it exhibits on the network. Since greynets are highly evasive on the network, a combination of signature and stateful inspection of the traffic is necessary to accurately id the application. For e.g. Skype, a P2P application may use port 80 or any other port. Understanding the behavioral aspect (port hopping, packet alteration/sequencing, etc.). Once the application has been identified, the dissector then identifies the actual activity of the application – whether it is a file transfer happening over IM or just plain IM conversation. This is important as some of the IM apps like MSN use P2P protocol for file transfer – different than the native protocol used for IM conversation. Following the identification of the app activity, the appropriate policy for it is applied based on user that initiated that traffic resulting in allowing (with controls) or blocking the traffic.
Incoming traffic packets are captured and reassembled for further analysis by the Traffic Analyzer. (This part is similar to any network security device) Once reassembled, the traffic goes through the App Dissector Engine – this is our secret sauce. This engine includes two processes: The traffic goes through signature, behavioral and protocol analyses to identify the application. This is where app is identified based on ports/protocols and the behavior it exhibits on the network. Since greynets are highly evasive on the network, a combination of signature and stateful inspection of the traffic is necessary to accurately id the application. For e.g. Skype, a P2P application may use port 80 or any other port. Understanding the behavioral aspect (port hopping, packet alteration/sequencing, etc.). Once the application has been identified, the dissector then identifies the actual activity of the application – whether it is a file transfer happening over IM or just plain IM conversation. This is important as some of the IM apps like MSN use P2P protocol for file transfer – different than the native protocol used for IM conversation. Following the identification of the app activity, the appropriate policy for it is applied based on user that initiated that traffic resulting in allowing (with controls) or blocking the traffic.
Incoming traffic packets are captured and reassembled for further analysis by the Traffic Analyzer. (This part is similar to any network security device) Once reassembled, the traffic goes through the App Dissector Engine – this is our secret sauce. This engine includes two processes: The traffic goes through signature, behavioral and protocol analyses to identify the application. This is where app is identified based on ports/protocols and the behavior it exhibits on the network. Since greynets are highly evasive on the network, a combination of signature and stateful inspection of the traffic is necessary to accurately id the application. For e.g. Skype, a P2P application may use port 80 or any other port. Understanding the behavioral aspect (port hopping, packet alteration/sequencing, etc.). Once the application has been identified, the dissector then identifies the actual activity of the application Following the identification of the app activity, the appropriate policy for it is applied based on user that initiated that traffic resulting in allowing (with controls) or blocking the traffic.
Incoming traffic packets are captured and reassembled for further analysis by the Traffic Analyzer. (This part is similar to any network security device) Once reassembled, the traffic goes through the App Dissector Engine – this is our secret sauce. This engine includes two processes: The traffic goes through signature, behavioral and protocol analyses to identify the application. This is where app is identified based on ports/protocols and the behavior it exhibits on the network. Since greynets are highly evasive on the network, a combination of signature and stateful inspection of the traffic is necessary to accurately id the application. For e.g. Skype, a P2P application may use port 80 or any other port. Understanding the behavioral aspect (port hopping, packet alteration/sequencing, etc.). Once the application has been identified, the dissector then identifies the actual activity of the application – whether it is a file transfer happening over IM or just plain IM conversation. This is important as some of the IM apps like MSN use P2P protocol for file transfer – different than the native protocol used for IM conversation. Following the identification of the app activity, the appropriate policy for it is applied based on user that initiated that traffic resulting in allowing (with controls) or blocking the traffic.
BEST PRACTICES DEPLOYMENT 1: Deploy FTEE to ensure compliance and security Guarantee compliance with TrueCompliance TM Stop worms and viruses and block SPIM Stop rogue IM & P2P and block circumvention at the perimeter 2: Monitor and analyze usage patterns Who is using what networks? What features are being used? File transfer, VoIP, app sharing, etc. How much and what P2P usage is going on? 3: Formulate usage policies By user, network and capabilities 4: Implement and enforce policies IMA for logging and audit workflow RTG to control non-compliant use