Intervento tenuto assieme a SonicWAll per analizzare eventuali rischi presenti nelle reti moderne grazie alle tecnologie più utilizzate, e come mitigarle.
ICT Security 2010: Le minacce delle nuove tecnologie
1. Alessio L.R. Pennasilico
mayhem@alba.st
twitter: mayhemspp
FaceBook: alessio.pennasilico
Phone/Fax +39 045 8271202
Via Roveggia 43, Verona
Via Doria 3, Milano
http://www.aisgroup.it/
info@aisgroup.it
Cristiano Cafferata
ccafferata@sonicwall.com
BDM & SE Italia e Grecia
La tecnologia intorno a me,
la sicurezza dentro di me
Friday, 29 October, 2010
2. Alessio L.R. Pennasilico
Alessio L.R. Pennasilico
Board of Directors:
Associazione Informatici Professionisti, CLUSIT
Associazione Italiana Professionisti Sicurezza Informatica
Italian Linux Society, LUGVR, Sikurezza.org
Hacker’s Profiling Project
2
!
Security Evangelist @
Friday, 29 October, 2010
3. Alessio L.R. Pennasilico
Rischi dellaVirtualizzazione
accesso all’interfaccia amministrativa
test reachability per HA
vMotion
iSCSI, NFS
3
Friday, 29 October, 2010
5. Today’s Network Security Requirements
Situational Visibility & Awareness
Application Intelligence, Control with Visualization
Scanning of all out-going and in-coming traffic
Protection & Risk Management
Security effectiveness for maximum catch rates
Zero-day protection
Secure Access and Manageability
Flexible, yet granular controls
Multi-vendor interoperability
Scalability
Technology and Solutions
Network Performance/ Policy & Administration
Compliance
Regulations and Standards
Proof
Physical and virtualized
assets
Distributed networks
Users and Applications
Mobile devices
Embedded sensors
2 Copyright 2010 SonicWALL Inc. All Right Reserved.
Friday, 29 October, 2010
6. Vulnerabilities in the
software everyone
uses everyday …
It’s Human Nature …
Programmers make mistakes
Malware exploits mistakes
Malware
propaga+ng
at
Applica+on
Layer
7 Copyright 2010 SonicWALL Inc. All Right Reserved.
Friday, 29 October, 2010
7. Alessio L.R. Pennasilico
VoIP Risks
I telefoni IP, per funzionare, possono eseguire diverse azioni
preliminari, vulnerabili a diversi attacchi:
✓ottengono l'indirizzo IP da un server DHCP
✓ottengono dal DHCP l'indirizzo di un TFTP server
➡ io sono il server DHCP, ti indirizzo al mio TFTP
✓scaricano il firmware dal TFTP server
➡ io sono il TFTP e ti do il mio firmware/configurazione
✓scaricano la configurazione dal TFTP server
➡ io leggo la configurazione dal server TFTP
✓si autenticano sul serverVoIP
➡ sniffo, o mi fingo il PBX e forzo auth plain text
7
Friday, 29 October, 2010
8. Alessio L.R. Pennasilico
Attenzione
IlVoIP può essere più sicuro della telefonia
tradizionale. Questo tuttavia si ottiene attraverso
una corretta progettazione, implementazione e
verifica, seguendo alcune best practice, sia dal
punto di vista tecnico che dal punto di vista della
formazione.
8
Friday, 29 October, 2010
10. Challenges in a Web 2.0 Environment
Allow use of Social Networking
… but protect it
… and control who’s using it
Allow use of Streaming Video
… but control its usage
At the same time
… Restrict P2P Applications
… Restrict File Sharing
… Restrict Gaming
… Prioritize VoIP
Copyright 2010 SonicWALL Inc. All Right Reserved.14
Friday, 29 October, 2010
11. Streaming Video
Copyright 2010 SonicWALL Inc. All Right Reserved.12
Recreational UseBusiness Use
Friday, 29 October, 2010
12. Application Chaos
IT Controls Challenged
Unacceptable AppsAcceptable Apps
Identify, Manage and Control Application Chaos
CONFIDENTIAL All Rights Reserved11
Friday, 29 October, 2010
21. Alessio L.R. Pennasilico
Misure Inutili
Nascondere il nome della rete non serve
Filtrare i mac-address non serve
WEP da un falso senso di sicurezza
21
Friday, 29 October, 2010
22. Alessio L.R. Pennasilico
Proteggere il WiFi
WPA2 a casa è una soluzione adatta
In azienda è possibile fare IPSec su WiFi oppure
WPA2/Enterprise
22
Friday, 29 October, 2010
24. Application Intelligence & Control
Copyright 2010 SonicWALL Inc. All Right Reserved.16
Identify
Categorize
Control
By Application
By User/Group
By Content Inspection
By Application
By Application Category
By Destination
By Content
By User/Group
Prioritize
Manage
Block
Prevent Malware
Prevent Intrusion Attempts
Next Generation Firewall Platform
Friday, 29 October, 2010
25. Example:
Prioritize Application Bandwidth
Goal
Prioritize mission critical applications, such as SAP, Salesforce.com and
SharePoint.
Ensuring these applications have priority to get the network bandwidth they
need to operate can improve business productivity.
Solution:
App: SAP, Sharepoint, SFDC
Action: Bandwidth Prioritize
Schedule: Always
Users: All
Application priority can be date based
(think end-of-quarter priority for sales applications)
Copyright 2010 SonicWALL Inc. All Right Reserved.29
Friday, 29 October, 2010
31. Malware loves Social Networking Too
Set-up:
Create bogus celebrity LinkedIn profiles
Lure:
Place link to celebrity “videos” in profile
Attack:
Download of “codec” required to view video
Infect:
Codec is actually Malware
Result:
System compromised
(Gregg Keizer, Computerworld Jan 7, 2009)
8 Copyright 2010 SonicWALL Inc. All Right Reserved.
Friday, 29 October, 2010
33. SonicWALL Application Control Appliances
Copyright 2010 SonicWALL Inc. All Right Reserved.
NSA E7500/8500
NSA E6500
NSA E5500
TZ 210 Series
NSA 3500
NSA 2400
NSA 240
NSA 4500
NSA 2400MX
31
Friday, 29 October, 2010
34. SonicWALL Next Generation Firewalls feature:
Multi-Function Security Integration
Complete Threat Protection with Intrusion Prevention & Anti-Malware/
Virus/Spyware
Content Control & URL Filtering
Full “Enterprise” quality Integrated Anti-SPAM
Protect whole infrastructures such as StoneWare Access
Application Visibility
Integrated Application Firewall
Policy control over Applications, Application use & File Types
Ultimate Connectivity
“Clean VPN” Secure IPSec Site-to-Site VPN Connectivity, Clean
Wireless, Wireless Switch / Controller
Exceptional User Policy Control and Access to Resources
Integrated Wireless Switch offer “Clean Wireless”
Reliability, Optimization & Flexibility
Highly Redundant Hardware – Power/Fans
Business Application Prioritization & QoS
Integrated Server Load Balancing Feature-set
Flexible Deployments branch office, corporate & department network
Applications
Award winning: Deployment & Management
Deep Packet Firewall
Clean VPN
Intrusion Prevention
Anti-Malware
Content Filtering
Bandwidth Management
Application Firewall
Full Anti-SPAM
Clean Wireless
Friday, 29 October, 2010
35. Alessio L.R. Pennasilico
Prodotto sviluppato per
rispondere integralmente
alle esigenze del decreto
“amministratori di sistema”
35
Friday, 29 October, 2010
36. Alessio L.R. Pennasilico
VoIP
Web Interface di gestione
Interfaccia utente via web
Multisede
Integrazione di:
fax/sms/skype/device “esotici”
36
Friday, 29 October, 2010
38. Alessio L.R. Pennasilico
Budget?
81% delle intrusioni avvengono su reti che non
sodisfano i requirement delle più diffuse
norme/best practice / guidelines
Gartner
38
Friday, 29 October, 2010
39. Alessio L.R. Pennasilico
mayhem@alba.st
twitter: mayhemspp
FaceBook: alessio.pennasilico
Phone/Fax +39 045 8271202
Via Roveggia 43, Verona
Via Doria 3, Milano
http://www.aisgroup.it/
info@aisgroup.it
Cristiano Cafferata
ccafferata@sonicwall.com
BDM & SE Italia e Grecia
Grazie!T h e s e s l i d e s a r e
written by Alessio L.R.
P e n n a s i l i c o a k a
mayhem. They are
subjected to Creative
Commons Attribution-
S h a r e A l i k e - 2 . 5
version; you can copy,
modify, or sell them.
“Please” cite your
source and use the
same licence :)
Friday, 29 October, 2010