AhnLab TrusGuard Standard Proposal Eng

(1)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

AhnLab TrusGuard Standard Proposal

“The Best of Network Security solutions, AhnLab TrusGuard”

(2)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Recent Trend in Security Threats

Product Overview

Special Advantages of AhnLab TrusGuard

Customer Benefits

Detailed Functions

Specifications

Main UI View

Implementation Case

Appendix.

(3)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

(4)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

The latest trend in anti-virus protection can be described as

“Diversification, Complexity,

Systemization.”

Prof

es

si

on

al

,

Orga

nize

d

Crime

S

c

ript

Kid

Pure curiosity

Attack

Profit gain

motivation

The Hack

The Virus

The Bot

• Malware (Virus, Worm, Trojan, Bot) is still a big threat.

• Complexity of SPAM + Trojan + Phishing + Pharming

• Spread of DDoS & attack on web applications

• Limitation in patch management

• Change of target from unspecified general public to a

specified target

• Emergence of profit-motivated cyber crimes

A

tt

a

c

k

e

r

Recent Trend in Security Threats: Overview

Injection,XS

S

(5)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Following 2008,

Trojan horses that steal internal and account information are still prevailing and

the infection by worms, usually spreading malicious attacks on internal networks and the

emergence of new worms are increasingly reported.

• Trojan horses for stealing internal & account information still take up a large part in threats to enterprises

(39%)

[Infection by Malware Types, 2009]

[Infection by New Malware Types, 2009]

Recent Trend in Malware

• Reports on infection by “spreading worms”, which severely hinder the availability of internal network and

systems and their new variants is increasing

- Infection by worms through USB mobile storage devices is still happening

Source: AhnLab ASEC Report (Dec., 2009)

트로이잔 바이러스 애드웨어 웜 Script Dropper 기타 Trojans 39% Virus 12% Adware 12% Worm 10% Script 7% Dropper 5% Others 15% 트로이잔 애드웨어 다운로더 웜 Script 기타

Source : AhnLab ASEC Report (Dec., 2009)

Trojans 55% Adware 27% Downloader 7% Worm 5% Script 2%

- Together with the popularization of the wireless LAN, infection by worms through unauthorized PCs connecting to the internal

network is increasing

Trojan Virus Adware Worm Others Trojan Adware Downloader Worm Others

(6)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

The major threat in recent network-based attack trend is DDoS.

Trend during a DDoS Attack (1)

[Incoming threat types to network in Korea, as of Nov., 2009]

[Monthly trend of infection by malicious Bots, in Korea

○ The analysis of incoming threat types to ISP network revealed… - UDP Flooding, a variety of DDoS attack, was the major threat. - The most common DDoS attack, TCP SYN Flooding, is occurring consistently.

○ Bot is a malicious code that produces large numbers of zombie PCs used for DDoS attacks.

○ When the number of Bot-infected PCs increases, the threat by a DDoS attack also increases.

○ The infection rate by Bot in Korea has decreased greatly from 2008.

(Average 10% in 2008  Average 1% in 2009)

Percentage of infected PCs in Korea among worldwide PCs infected by Bot

Source : KISA monthly bulletin of Internet incident trend & analysis (July)

Source : KISA monthly bulletin of Internet incident trend & analysis (Nov., 2009)

UDP Flooding

TCP SYN

Flooding

(7)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

DDoS Attack Trends (2)

DDoS attacks have shifted from attacks that drain bandwidth to attacks that drain system

resources and target application weaknesses.

Early to mid 2000s

2006 ~ 2007

2008 ~

Network resource

Draining attacks

TCP/Application

weakness attacks

Complex / Intelligent

attacks

• Flooding attacks - ICMP Flood attack - UDP Flood attack • Amplification attacks

- Smurf attack - Fraggle attack

• TCP 3-hands-shaking attacks targeting weaknesses

- SYN Flooding attack - ACK Flooding attack - SYN+ACK Flooding attack

1

st

_{stage DDoS}

₂

nd

_{stage DDoS}

₃

rd

_{stage DDoS}

Network draining attacks

Traffic inducing attacks

Simple attacks

7

• Flooding attacks + Weakness attacks

. HTTP Get Flooding . ICMP Flooding . TCP SYN Flooding . UDP Flooding

Complicated & Intelligent Attack

All citizens, organizing, and political

purposes, financial gain

(8)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

DDoS attacks are targeting every type of business regardless of size.

Any company that uses the internet to provide services is vulnerable to DDoS attacks.

DDoS Attack Trends (3)

D

oS

att

ac

ks

Increase in money-stealing DDoS attacks

DDoS attacks from viruses IRC Bot DDoS attacks Mirae Asset

Rapid

increase in

DDoS attacks

Amazon, eBay, Yahoo DDoS attacks Early DDoS attacks 2000 2006 2008 2010 ○ 2009.7 : 7.7 DDoS Crisis

○ 2008.8 : Game rating board‟s homepage shut down for 9 hours ○ 2008. 6 : Grand National Party‟s homepage shut down due to DDoS attack

○ 2008. 3 : Mirae Asset‟s homepage shut down for 1 hour, money demanded

○ 2007.9~10 : Game item trading site was attacked and money demanded

○ 2007. 6~8 : Money demanded from travel and pension reservation sites, etc.

○ 2007.5 : Estonian government and parliament sites paralyzed for 3 weeks

○ 2007.1 : DDoS attack on domain registration proxy company

[Recent Attacks]

[Attack Method]

○ Omnidirectional attacks using various protocols such as TCP/ UDP/ ICMP/ HTTP

○ Flooding attacks using malicious IRC Bots are the mainstream

○ Attacks send from 500M ~ 1G (small attack) to 40~50G (large attack) of traffic to shut down systems or paralyze service

Various companies in the financial industry, public sector, small online service companies, etc, are exposed to the threat of DDoS attacks.

(9)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Threats that exploit vulnerabilities in web applications

The most prevalent threat types in web application attacks are

XSS (Cross-site Scripting) and

SQL injection.

They exploit vulnerabilities to leak private information, steal account privileges

and alter/destroy data.

SQL Injection XSS Buffer error 접근제어 입력검증오류 자원관리오류 디렉토리 검색 정보유출 기타 18.3% 13.7% Others SQL Injection XSS

[Major threat types exploiting web

vulnerabilities, 2008]

○ SQL injection, XSS (Cross-site Scripting) and

buffer error ranked 1, 2 and 3 in major web

vulnerability threat types in 2008.

Source : KISA monthly bulletin of Internet incident trend & analysis (Dec., 2008)

9.8%

Buffer error

○ The SQL injection attack increased rapidly due

to the wide distribution of an automatic

mass-SQL injection tool like „Jeopard in a hole.‟

○ SQL injection attack type is changing…

- from stealing data inside the DB

- to infecting/spreading the malicious code on

connected users by deploying the malicious

code inside the DB.

Access control

Input authentication error Asset management error Directory search

Information leakage Others

(10)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Diversified Attack Routes (1)

File download

Wireless

Vulnerabilities in OS and

commercial programs

Client‟s system

Mobile storage

devices

P2P programs

E-mail

Instant messaging

programs

Internet surfing

As various IT devices and applications emerge rapidly due to advancement of Internet business,

the client‟s system is becoming overexposed to

numerous attack routes.

(11)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Diversified Attack Routes (2)

 Among the attack routes of viruses and worms in Korean companies with 5 or more employees,

“infection

through downloading from Internet” ranked highest with a rate of

85.0%.

 By industry, manufacturing (89.1%), wholesale (87.7%) and construction (87.6%) showed relatively higher rate of

“infection through downloading from Internet” and even in banking and insurance, the rate was 80.8%.

85.0%

54.5%

50.8%

42.4%

34.1%

17.5%

2.4%

Download from Internet

By visiting certain websites

E-mail

Shared folder, internal networks

Storage devices (CD, USB, etc.)

By external hacking

Others

Source : Survey on information security in enterprises, 2008

Indeed,

downloading of spreading worms and zombie malware during web surfing

is rapidly

increasing.

(12)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Network Security Trend

(13)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Performance & Scalability, All at Once!!

Single-core

based hardware

Network

Processor

/ ASIC

Multi-core

based hardware

• Pentium or Xeon base

• Low-end H/W platform

• Limited performance

• Specialized chipset base

• Exclusive packet-handling

processor

• High-performance packet

handling & delivery

• Difficult to add functions

- Customization not allowed.

- Difficulty in time-to-market

• Multi-core process base

• High-end H/W platform

• Linear performance

enhancement when an

additional core is added.

• Easy to add functions &

excellent at combating

fast-changing security threats.

Technology in network security appliance is progressing toward

the multi-core based,

high-performance platform.

(14)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

From Single-Purpose to Integrated Multi-Purpose…

Practical

integration

Combined

functions

Single-purpose

~ Mid. 2000s

Mid. 2000s ~

Current

2010 ~

• Firewall only, VPN only

approach

• Low-end H/W environment

- Limited performance

• Integrated Security

- Combination of functions

• Firewall+VPN+IPS+AV+AS

• High-end H/W

- Overcoming performance

limitation of multi-functions

• Lack of elaborate functions

• Green IT in Security

• Overcoming performance

limitations

- Advance of multi-core H/W

- 16 Cores  32 Cores or more

- Continuous expansion of

performance

• Elaborate functions enabled.

With rapid advance in H/W technology and a tendency toward Green IT,

“integration of practical

security functions”

is the new direction in network security appliance.

(15)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Product Overview

(16)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Product Overview

AhnLab TrusGuard is an

“Integrated Network Security System”

that combines

“Firewall/VPN-based, high-performance network security” with strong “Security Threat Response Technology.”

Internet

Firewall/ Networking

Network

security

functions

security

functions

VPN

DDoS defense

I(D)PS

_Anti-Virus

Anti-Spam/ Web Filtering

- Stateful inspection filtering - Route/Transparent mode - Dynamic routing/ QoS function - IPv6 support (as of 5.2010.)

- SSL VPN function - IPSec VPN function

(G-to-G, G-to-C VPN)

-Equipped with an exclusive engine for DDoS defense

- 6-phase response

-Protection against attacks of various types

(Flooding, Draining of application)

- Signature-based detection & prevention of attacks

- Behavior-based detection & prevention of attacks

- More than 6 thousand rules for detecting attacks

- 3-phase mechanism for preventing attacks

- NAC function (synched with end-point V3)

-Prevention of intrusion by virus, worm, spyware, phishing, etc. -Supports HTTP/SMTP/POP3/FTP -Equipped with V3 engine.

-365*24 ASEC service/ CDN

- Black list-based spam filtering

- Spam engine-based filtering - Keyword-based filtering - Spam quarantine & storing - Access filtering of harmful sites

- Log analysis & real-time display - Correlation analysis of threat data -50 types of security analysis reports - Integrated policy management of many appliances

(17)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Special Advantages of

(18)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features: Overview

AhnLab TrusGuard distinguishes itself by creating synergies that combine an organic

combination of

“high-performance, high-quality network security technology”

with

“proactive,

comprehensive integrated security technology.”

Network

Security

Integrated

Security

Manage

High Performance & Flexibility

• High-performance platform & optimized design for multi-core

• Intuitive & graphical information display • Embedded, real-time monitoring information

Proactive & Comprehensive

Simple & Graphical

• Security response to „zero-day & emergent‟ attacks

• Specialized DDoS engine (overseas patent-pending)

• V3-synched NAC function • External log server/ manager

• Competitive IPS function

• Powerful anti-virus/ anti-spam • Flexible network security (IPv4 & IPv6)

• Flexible VPN with enhanced security • High-quality firewall technology

• Prevents zombie malicious codes by linking with ACCESS.

• No.1 security response technology • Largest security response infra.

* ACCESS (AhnLab Cloud Computing E-Security System)

(19)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features

– High-Quality Firewall

TrusGuard is based on elaborate and reliable

high-quality firewall technology.

The design of TrusGuard is based on “Suhoshin Absolute”, the best firewall solution in Korea.

“Suhoshin Absolute” was the first commercial firewall in Korea and it has proven its technical reliability

and performance in the market by

acquiring more than 3,000 client references during the last 10 years.

High Availability

• Fail-over function (Active-Active, Active-Standby)

• Can back-up without a separate L4 switch (Session/ Rule synch) • Full-mesh structure

Port Aggregation

• Uses 2 or more physical ports as a single logical port. • Can process the traffic equal to Bandwidth * No. of port(s). • Handles the large traffic easily and provides fail-over function among ports.

Quality of Service

• Can set/limit maximum traffic volume when setting security policy.

• QoS setting can be established by policies/IPs/ports. • Supports policy-based & schedule-based QoS.

Routing

• Static/Dynamic routing (RIP, RIPv2, OSPF)_{• Supports multicasting / source routing.}

VoIP support

• Supports SIP, H.323 communication.

Authentication

• Internal OTP, External RADIUS synch

Others

• Supports 802.1Q VLAN. _{• Supports DHCP server & DHCP relay.}

NAT

• Static (1:1)/ Dynamic NAT (1:N, M:N), Twice NAT_{• Excluded NAT, NAT Traversal, Load-Sharing NAT} Server farm

Internet

HA setting Active-Active Active-Standby

Stateful

Inspection

• Provides independent performance regardless of number of rules. • Based on black list/ white list.

(20)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features

– High-Performance

Core 1

Core 2

Core 3

Core 4

AhnLab

TrusGuard

○ Optimal distribution technology of packets to

multi-core applied.

○ When running a single function, the multi-core

utilization provides the “maximum performance.”

Firewall VPN IPS/ DDoS Anti-Virus Anti-Spam

○ Multi-core platform in all models

(TrusGuard 50 excluded.)

○ When running multiple functions, the

multi-core utilization provides the “optimal

performance.”

Classification Firewall _only Simultaneous running of firewall & IPS

(Signature 6,000 on) Test condition

Throughput (1024 byte) 6G 2G • Performance value of TrusGuard 1000 model with 6 ports

※ Throughput Test Result

* Performance test condition

- Used IXIA test equipment. - Used GET Request 10K, 1G * 6ports.

TrusGuard is based on

high-performance hardware platform and the S/W architecture design

optimized for the specific platform.

To achieve high-performance when running multiple functions, every model of TrusGuard (except the

SOHO model) is configured with a multi-core platform and optimized architecture design.

(21)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

IP S ec V P N T u n n el

TrusGuard Features

– IPSec VPN

With TrusGuard, you can establish

VPN network with enhanced security response capability

in

HQ-branch and PC-office.

Using IPSec VPN as the default function, TrusGuard provides a secure way of communicating through the

public network. Also, when the firewall/IPS function is synched for traffic inside the VPN tunnel, it can

prevent the internal spread of malicious codes.

Support for

IPSec standard

• Supports tunnel mode, ESP, AH, ESP+AH. • Can be synched with IPSec standard products.

• Supports encryption algorithm like 3DES, AES, SEED, ARIA. • IKEv1, IKEv2, manual support

• Supports hub & spoke, star, mesh structure.

NAT Traversal

• Supports IPSec in NAT environment that uses private IP.

Dual Line

• Supports VPN Line Take Over via ADSL (2 lines or more)

DPD

• Real-time automatic transfer by detecting host status

Firewall/

IPS synch

• Firewall/IPS policy can be synched for VPN packets. - Prevents spread of malware through VPN tunnel.

Bypass of other

IPSec packets

• Can bypass IPSec packets for other appliances.

- Provides flexible response for enterprises that use various security appliances.

Scalability

• Supports the synch with L4 for expanded throughput._{• Supports bridge over IPSec.}

VPN Accelerator

• Provides high-performance VPN through the equipped

hardware accelerator. (TrusGuard 1000 model)

HQ

Branch

Remote connection

Connects SSL VPN

High-performance VPN communication through

hardware acceleration

Other functions

• Supports split tunnel function. • Prevents replay attack.

(22)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features

– SSL VPN

Internet

DMZ Server farm

University department network Backbone Network

Department A Department B Department C

TrusGuard

Branch Z

SSL VPN Tunnel

IPSec VPN Tunnel

TrusGuard provides a flexible VPN network with enhanced security that meets the client‟s

environment.

TrusGuard allows the flexible setup of VPN network as

both IPSec VPN and SSL VPN are supported in the

same appliance.

- When connecting SSL VPN, AhnLab Online Security (PC firewall/ Anti-Key logger Program) is automatically

installed, then, the security status of the connected PC is checked to strengthen the internal security of the

enterprise.

AhnLab Online Security installation

TrusGuard

effectively prevents the spread of worm/Bot infected from the branch to the HQ system through

powerful IPS-synch function.

Malicious traffic in VPN Tunnel

(23)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features

– IPv6

(to be provided in May, 2010)

TrusGuard supports

IPv4 & IPv6 dual-stack security setting in real network environment.

Server farm

Internet

TrusGuard HQ IPv6 network IPv6 network IPv6 web server Tunneling over IPv4 IPv4 Internet

TrusGuard provides full security for various network environments where IPv6 is applied.

TrusGuard

IPv6 packet

filtering

algorithm

Fully supports

many IPv6-related

routing/transitions.

Fully supports

both

IPv6 & IPv4

combined

network.

IPv6

Stateful Inspection

Transition technology

(tunneling, translation)

IPv4 & IPv6

dual-stack support

NAT & Logging

DHCPv6, RA

IPv6 routing

(Ripv6, OSPFv6)

(24)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features – Integrated Security Infrastructure

TrusGuard can

“create/maintain/deliver” the differentiated security response contents.

ASEC

• Malware collection & analysis of trend • Analysis of NW attack trend

• Proactive Prevention

• Writing/Distribution of signature

CERT

• No. 1 managed security provider in Korea • Provides managed security service to major clients.

• Real-time response to NW attack

Outbreak Prevention

Zero-Day Attack Prevention

Up-to-date & Accurate

• Prevents vulnerability estimation.

- Pre-distribution of signature for predicted ‘vulnerability attack.’

• Microsoft MAPP Partnership

- A program for pre-sharing security patch info.

• Early prevention of malicious codes/attacks

- Distributes signature for preventing early spreading.

• 2~3 signature updates per day - Maintains up-to-date signatures.

• Collaboration with internal CERT

(Managed Security Center) - Can detect & respond to the real-time attack occurring in the client’s sites.

• 24*7*365 support

- When emergency arises, rapid response is provided.

* ASEC : AhnLab Security E-response Center * CERT : Computer Emergency Response Center

The core competence of TrusGuard lies in the security infrastructure like ASEC/CERT/ACCESS that

provides an effective respond to increasingly diverse and malignant security threats.

Collaboration

Acquire & respond to the real-time attack/threat information.

(25)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

[Zero-day Attack Prevention Examples]

Phase 1 : Pattern estimation and distribution of the prevention policy

Phase 2 : Distribution of the early-prevention policy

Phase 3 : Distribution of the prevention policy for network worm

Vulnerability reported. Attack emerged. IPS Signature distributed.

AST & CDN service

Sample collected.

Zero-day Prevention

Outbreak

Prevention

Example #3. Attack on server service vulnerability (RPC vulnerability attack)

2008/10/23 : MMPC reported the emergence of a worm. 2008/10/23 : MS announced the emergency security patch.

2008/10/23 : TrusGuard signature was distributed.

Example #1. Attack on IE memory corrupt vulnerability

2009/02/10 : Vulnerability reported.

2009/02/10 : TrusGuard signature for estimated attack was distributed.

2009/02/11 : Microsoft announced the security patch. 2009/02/18 : Public disclosure of the executable attack code.

[3-Phase Defense Mechanism]

Example #2. Microsoft Access Active X remote exploit

2008/07/18 : First discovery of the vulnerability (Chinese community website)

2008/10/23 : TrusGuard signature for estimated attack was distributed.

2008/10/28 : A website that spreads the malicious code exploiting the vulnerability was sighted.

TrusGuard Features

– Integrated Security Infrastructure

TrusGuard, using its 3-phase defense system for various security threats, can provide powerful protection

against zero-day attacks and emergent attacks to your system.

(26)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features - IPS

TrusGuard is very

powerful combating various vulnerability attacks and malicious codes.

TrusGuard possesses more than 6,000 security response rules, the largest of any worldwide IPS and,

**through ASEC, provides 24*365 monitoring/analysis service, daily 2~3 update service and emergency**

response service.

TrusGuard

IPS function

• World‟s largest security response signature (6,000)

• 2~3 signature updates per day

- Up-to-date & accurate signatures

- Reliable update environment through CDN

• Prevention of various network-base attacks/malwares

- Please refer to the IPS response list below.

• MSPP partnership with Microsoft

• Real-time monitoring/analysis system for various security threats

TrusGuard IPS – rules that are internally

monitored/written.

▶ Prevention of vulnerability attacks ◀

• Application vulnerability - OS/ IE/ ARP Spoofing, etc. - Shell Code

• Web vulnerability (OWASP vulnerability

- SQL injection, XSS vulnerability, etc. - CGI/ IIS/ MISC vulnerability, etc.

▶ Prevention of network-based attacks ◀

• Scanning attack • NetBios/ RPC attack • DoS attack/ Backdoor • P2P/ Instant messaging • Protocol anomaly • Others

▶ Blocking of malware source ◀

• Web monitoring system • Use of SiteGuard DB • Operation of active honey pot ▶ Prevention of malware attacks ◀ • Worm • Bot/ BotNet • Trojan • Spyware/ Downloader • Mass mailer • Dropper

Analysis of VRS

vulnerability

BotNet management system WebMon system DDoS monitoring system

Managed security service Intrusion log analysis system

(27)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features

– Prevention of Web/Application Vulnerability

Attacks

TrusGuard provides

superb protection against ever-increasing attacks that exploit web &

application vulnerabilities.

TrusGuard provides

the phased defense mechanism against popular web attacks like

SQL Injection,

XSS(Cross Sites Scripts), etc.

* ASEC (AhnLab Security E-response Center) : A specialized unit in AhnLab that provides monitoring/analysis of malwares/attacks, response service and signature writing.

[Phased response mechanism against web

vulnerability attack]

[Example of phased prevention of web vulnerability

attack]

Prevention 1 : Prevent vulnerability

attack on web server.

• Prevents attacks that exploit vulnerabilities in web server like SQL/ PHP Injection, XSS, CSRF, etc.

• Blocks access to the malware passing point server by internal clients PCs.

Prevention 2 : Block access to the sever

in malware passing point.

• Prevents access to the server in malware spreading points by internal client PCs.

Prevention 3 : Block access to the

server in malware spreading point.

• If connected to the server in spreading points, TrusGuard blocks the downloading of the vulnerable attack code to the internal client PCs.

Prevention 4 : Block downloading of the

vulnerability attack code.

Vulnerability #1 Vulnerability #2 Vulnerability #3 Vulnerability #n

•••

Passing point Spreading point server Attacker Prevent 1 Prevent 4 Prevent 3 Prevent2 TrusGuard Attack target Web server Infect Redirection

TrusGuard is equipped with

signatures that effectively protect 10 vulnerability attacks on web application

selected by OWASP and

these signatures are updated 2~3 times per day through ASEC.

(28)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features

– Detection/Block of Zombie Malware

Block malware

spreading point.

Block spreading of Bot.

Prevent malware attack.

Prevent vulnerability attack.

Block internal infection

by Bot.

Prevent internal

infection by Bot.

BotNet

Block C&C

communication.

Block external

spreading of Bot.

Prevent external

spreading of Bot.

TrusGuard

detects zombie malware and prevents infection and spread of zombie malwares.

TrusGuard not only prevents DDoS using Bot but prevents the infection of internal PCs by Bot as well.

Also, even if internal PCs are infected by Bot, TrusGuard protects client‟s network by performing various

operations to prevent the running of Bot.

(29)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features – ACCESS-synched Removal of Zombie Malware

TrusGuard provides the real-time detection/prevention of active zombie malware (Bot) through

synch with ACCESS system based on cloud-computing technology.

Prevents spreading of zombie PCs.

 Program info.  Reputation system  File activity trend

 Behavior-based aactivity  Relations among files  Malware distribution route

① Detects abnormal network behavior of a certain file.

Threat Info-Gathering System

② Monitoring of

the same behavior

③ Real-time analysis

④ Apply the analysis

result in real time.

Enterprise

TrusGuard

Block zombie

malwares.

The ACCESS-based DDoS monitoring system is AhnLab’s unique monitoring and analysis system for

zombie malwares. With information gathered from 10 million sensors for detecting zombie malwares, it

provides real-time analysis & response service.

(30)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

ACCESS

(DDoS

Monitoring

System)

ASEC

Sensor

DDoS monitoring system

Bot malware activity info.

Applied to TrusGuard

Sensor

• Prevention of zombie malware

- Provides block signature for accessing the server in spreading point.

- Provides block signature for accessing C&C server.

- Provides block signature for infection/downloading of zombie malware.

- Provides block signature for synched update among malwares.

Bot malware file

TrusGuard Features

– ACCESS-synched Prevention of Zombie Malware

TrusGuard provides real-time detection/prevention of active zombie malware (Bot) through

(31)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

DMZ

Server Farm TrusGuard 1000

TrusGuard 500

Distribution Network

Branch

TrusGuard 100

Internet

Core Network

② PC quarantine & automatic repair

VPN Tunnel

Headquarter

TrusGuard Features - NAC

TrusGuard provides

NAC function through synching with end-point security solutions.

TrusGuard is synchronized with V3, an anti-virus product by the same company to…

① prevent access by PCs without APC Agent that performs „V3 installation & up-to-date V3 update.‟

② quarantine infected PCs from internal network and to perform automatic repair. (when using IPS

license)

V3

① Network access control & redirection to APC agent installation page

PC without APC agent

Though this, TrusGuard

prevents the infected PCs from spreading to internal networks and

above all, it

strongly

blocks the activity of zombie malware through synch with DDoS monitoring system.

(32)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Feature

– Defense against DDoS Attack

TrusGuard

provides strong protection from DDoS attack,

a major type of network attack.

TrusGuard is equipped with

a special DDoS defense engine,

that is delicately phased and currently in

overseas patent-pending.

1st_{Phase : Runs DDoS detection engine.}

- When the certain threshold session is reached, it is judged as a DDoS attack.

2nd_{Phase : Runs anti-spoofing protection.}

- Performs filtering of packets that are spoofed through virtual response to TCP connection attempts under attack situation.

3rd_{Phase : Runs dynamic protection.}

- For packets decided as attacks after real-time analysis of packets under attack situation, the rate-limit is applied.

4th_{Phase : Runs segment protection .}

- Performs self-learning of session statistics on connections per source IP segments during the normal time. - Blocks the IP segment with abnormal session connection after deciding it as attack under attack situation.

5th_{Phase : Runs HTTP BotNet protection.}

- Blocks large volume of HTTP BotNet attacks that occur after connecting to TCP session.

Overseas patent

No. 2007-114875

*Financial Supervisory Service (FSS): Korea‟s government agency which monitors and audits all financial institutions operating in Korea, and impose sanctions against those which violate the financial regulations of the nation.

(33)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Feature

– Defense against DDoS Attack

TrusGuard is equipped with protection functions against a DDoS attack of various sorts like the list below.

TrusGuard

provides strong protection from a DDoS attack,

a major type of network attack.

Direction

Attack Category

Attack Type

Prevention Type

Inbound

DDoS

Attack

TCP Flooding Attack

• TCP SYN Flooding

• TCP SYN Flooding Spoofing • TCP ACK Flooding

• TCP ACK Flooding Spoofing • TCP NULL Flooding

• TCP NULL Flooding Spoofing • SYN-ACK Flooding

• RST Flooding

• IP Random Fragment Flag

• Filtering by the special DDoS engine

UDP Flooding Attack

• UDP Flooding• UDP Flooding Spoofing • IP Random Fragment Flag

ICMP Flooding Attack

• ICMP Echo Flooding

• ICMP Echo Flooding (Spoofing) • ICMP Echo Reply Flooding

• ICMP Echo Reply Flooding (Spoofing)

HTTP Attack

• BotNet Attack_{• CC (Cache-Control) Attack}

Other Attacks

• Confuse TCP/UDP/ICMP Flooding_{• Confuse TCP/UDP/ICMP Flooding Spoofing}

Outbound

DDoS

Attack

Internal zombie PCs

• Download zombie program from malware_{spreading websites}

• IPS signature-based filtering

External attack by internal

PCs

• Attack on external target servers by internal zombie PCs

(34)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features

– Anti-Virus

TrusGuard uses

V3 engine that is proven in worldwide for its superiority in virus filtering.

TrusGuard fully blocks the intrusion of malware to the internal network by

utilizing 20 years

of virus analysis

technology and DB of V3.

TrusGuard has a powerful advantage in preventing malware that change in real-time because it uses a

proprietary internal AV engine.

V3 is an internationally acclaimed anti-virus engine which won several international certificates like „VB 100‟

and „Check Mark.‟

INTERNET

AhnLab

CDN

ASEC

Virus/Malware V3 engine update (Regular/Freque nt/Emergency)

(35)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features

– Anti-Spam

TrusGuard uses

a powerful, world-class spam engine

for spam filtering.

Detection of spam from

130 nations

• Distribution Pattern Base

• Structure Pattern Base

Detects spam mail.

Detects E-mail virus

outbreak.

“97% spam filtering rate”

“False-positive rate of 1

in 1.5 million”

TrusGuard uses a Global Anti-Spam Engine that is used by more than 100 customers worldwide.

TrusGuard features superb spam filtering rate of 97% and a very small false-positive rate

of 1 in 1.5 million.

TrusGuard also provides preemptive filtering function against the “unknown virus” that is distributed via

E-mail

.

Spam Detection

Engine

• Powerful spam filtering

• Preemptive filtering of

unknown E-mail viruses

(36)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Feature

– Total Web Access Filtering

TrusGuard can prevent intrusion by malware to the internal network though blocking access to

not only non-work related websites but

malware distribution sites/phishing sites as well. (to be

provided in May, 2010.)

DMZ Server farm TrusGuard

Internet

Non-work

related sites

DB

Blocks synch.

SiteGuard

DB

Blocks synch.

Blocks access to non-work

related websites.

Blocks access to malware

distribution URLs.

Blocks access to phishing

sites.

* TrusGuard-SiteGuard synch service is planned to be provided in May, 2010.

TrusGuard is equipped with its own DB on malware distribution sites that have become major sources of

malware distribution. This DB is updated in real-time to provide up-to-date protection.

(37)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

12. Analyzing various security threat events and monitoring & reporting should be available.

TrusGuard UTM provides detection, prevention, and analysis of security events including firewall, IPS,

anti-virus, and anti-spam through a “Single Interface.”

Firewall

Log

VPN Log

Anti-Spam

Log

Anti-Virus

Log

IPS Log

UTM

Log Server

• Log collection/storage

• Security threat analysis and graphical display • 50 types of security reporting

- User-defined integration report configuration

[UTM Log Server Functions]

[Log Server UI Sample]

▪ Real-time Monitoring

- Real-time display of attacks

- Top 10 Information: By user, attack type, or service type

- Real-time session monitoring

▪ Various analysis tools

- Attack patterns & trend analysis

- Tracing details through Monitoring UIs (Drill-down) - Event IP monitoring

▪ Administrator Alerting

- Threshold setting and event alerting (E-mail )

Special Advantages of AhnLab TrusGuard UTM - LogServer

(38)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

TrusGuard Features

– AhnLab TrusGuard Manager

TrusGuard provides the management tool for efficient control of many appliances.

TrusGuard Manager is a management tool for controlling many TrusGuard appliances. Chief among its

major advantages are “user-oriented simple & dynamic UI” and “powerful monitoring function of

management appliances.”

○ Powerful monitoring environment

- System status information of the entire management appliances

- Network usage status of the entire management appliances

- Interface error status of the management appliance

- Health check of the management appliance

- VPN connection status of the management appliance

○ Integrated policy profiling technique ○ Easy setting of IPSec VPN

○ Drag & drop group configuration

○ LogServer Single Sign-on ○ Supports DB2 (freeware

version).

○ AST synch function

* To be provided by end of 2009.

○ Differentiated look & feel ○ Dynamic & simple UI

○ User-oriented low depth structure ○ Graphical monitoring

Specialized

visualization

Simple policy

setting/manag

ement

Powerful

monitoring

Many

value-added

functions

(39)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Real-time monitoring of the

entire management

appliances

TrusGuard Features - Manager

TrusGuard provides the management tool for efficient control of many appliances.

Manager Overview

(40)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Customer Benefits

(41)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Customer Benefits

1. You can build a reliable and flexible high-performance network security environment.

Internet

③

①

_②

②

① Reliable and flexible high-performance

firewall.

- Can configure H4 without L4 equipment. (A-A, A-S)

- Can control HA separately for VLAN trunking port and

VLAN port.

② Flexible VPN with enhanced security

- Prevents intrusion by malware into internal networks by

strengthening the network perimeter security among

branches. (IPS/AV function is on.)

- Effectively prevents spreading of internally-infected

malware like worm/Bot to the entire internal network

through VPN.



Filtering by synching with IPS/AV



NAC by synching with V3

- The use of IPSec VPN and SSL VPN can be mixed to

meet the customer‟s environment.

③ Detection of zombie PCs & Prevention of

malware spread

-

System and knowhow to detect & analyze malwares

. BotNet information management system / WebMon

system

. DDoS monitoring system (with 1 million sensors)

-Detects and prevents spread of zombie malware in

real-time.

(42)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

- Prevention of threats in branches : Prevents infection by worm/virus.

Customer Benefits

2. The spread of malware to entire networks can be prevented by detecting and blocking

malware/Bots.

• “Enhancing security of branch VPN traffic”

that is flowing into HQ via VPN

- Applying of security policy to VPN traffic that flows from branched to HQ & synching with IPS

• “Prevention of malware spreading among distribution networks”

in HQ

-

By implementing TrusGuard in the front area of segment network, internal spread and

external attack of worm/zombie can be prevented.

DMZ Server Farm

TrusGuard 1000

TrusGuard 400 TrusGuard 500

Distribution Network

Branch

TrusGuard 100 TrusGuard 100 AST

Internet

Core Network

Headquarter

③

①

②

①

②

③

(43)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Customer Benefits

3. You can build a network environment that is free from external security threats.

INTERNET

Worm

Bot

DDoS

Trojan

Spyware

Virus

Phishing

•••

• Security Threats are getting

“Complicated, Varied & Intelligent”

Unauthorized User

Data Sniffing

• AhnLab TrusGuard provides clean network environment through…

“firewall function based on stateful inspection”

“IPS & AV function for protection against external attacks”

“IPSec/SSL VPN function for safe communication with branches or

remote offices.

TrusGuard

• General firewall/VPN provides

“access control/anti-data sniffing”

functions only.

HQ

Branch

Remote

Web vulnerability

OS/IE

vulnerability

(44)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

INTERNET

Customer Benefits

1. Establishment of the network environment free from external security threats is possible.

(Continued)

• Three-phased blocking method

protects the network from

“unknown

network attacks.”

**• 24*7 updates of blocking rule and**

signature through ASEC to prevent threats

of

“latest attacks.”

KT DACOM Hanaro 1/2 Center AhnLab AST Server ASEC AhnLab CDN Service

* ASEC (AhnLab Security E-response Center)

Signature

Update

Phase 1: Update the predictive prevention of

blocking rules before the advent of the worms

Phase 2: Initial spread blocking rule

Phase 3: Signature update through sample

analysis

- Distribution of predictive prevention rules for potential worms and attacks through OS vulnerability analysis. - Proactive measures against worm variable patterns

- Application of the email filtering rule in the initial spread of the worms

- Sample collection and application of the signature made

by ASEC

[three-phased Blocking]

ASEC‟s rich experiences in dealing with malicious code

for the past 18 years ensures real-time monitoring and

analysis of worms and viruses worldwide, and

provides

accurate and prompt signature updates.

(45)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

High costs for

Adopting the

Solution

Trouble Shooting

Issue

Issue of

Securing

Necessary

Operation

Workforce

Customer Benefits

2. Reduction of Total Cost of Operation (TCO)

Point Solution

Multi vender

solutions of different

service levels

Firewall/VPN

_IPS/IDS

_Anti-Spam

Viruswall Web Filtering

Point Solution

Risks

TrusGuard

Benefit

All in One Box

Simple

Maintenance

Efficient manpower

allocation

“With the cost of a firewall, IPS and virus/spam

solutions can be built”

• Easy Trouble Shooting

• Service continuity can be guaranteed with the provision of bypass functions.

• Used not only for security but also for other operations.

•Greater productivity.

(46)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Customer Benefits

3. Removal of garbage traffic increases productivity and network efficiency.

[Firewall Only]

[After adopting TrusGuard UTM]

P2P

Spam

Malicious

Code

Work

Traffic

Web

surfing

Messenger

Harmful site

- Securities

/Gambling

Work

Traffic

Web

surfing

Work

Traffic

Work

Traffic

Web

surfing

Web

surfing

• Traffic filtering unavailable

• Wide-spread garbage traffic

• Compromised network

resource efficiency

• Control by traffic type

- Spam blocking

- P2P Messenger control

- Harmful site access control

- Malicious code prevention

• Network cost reduction through traffic optimization

• Greater concentration and productivity

(47)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Implementation Case

(48)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Implementation Case: 00 City Hall (Firewall only)

Internet

1) Multi-core, high-performance TrusGuard allowed throughput.

- Flexible handling of volume increase of multimedia & Internet

contents.

2) Double-stack configuration of TrusGuard enabled high network

availability.

- Configuration of session synchronization and policy synchronization

3) Powerful access control based on stateful inspection method

○ Improved security configuration

- Single-core firewalls were removed and TrusGuard 1000 were

double-stacked.

- Active - Active High Availability setting

- Automatic backup by configuring OSPF setting in redundant

router-security appliance area

○ Benefits

• OSPF setting • A-A HA setting

○ Weakness in old configuration

- Redundant configuration of single-core based low-end firewalls

couldn‟t handle the increase in traffic.

router

TrusGuar d

(49)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Implementation Case: 00 Education Office (Firewall + SSL)

Internet

TrusGuard (Firewall)

1) Multi-core, high-performance TrusGuard allowed throughput.

- Flexible handling of volume increase of multimedia & Internet contents.

2) Double-stack configuration of TrusGuard enabled high network availability.

- Configuration of session synchronization and policy synchronization

3) Security and availability in remote access by SSL VPN of TrusGuard 4) Enhanced security by connecting to SSL VPN

- Provides PC firewall and anti-keylogging to connected PCs by installing AhnLab AOS.

- Deletes remaining cookies in PCs after connection is terminated.

○ Improved security configuration

- The single-core firewall was removed and TrusGuard 1000 were

double-stacked.

- Active - Standby High Availability setting

- SSL VPN of TrusGuard were provided for remote/telecommuting

workers.

○ Benefits

○ Weakness in old configuration

- Performance issue from using single-core based, low-end firewall

- Use of IPSec VPN Client for remote/telecommuting workers

 Usability reduced due to many problems by disaster, maintenance, installation problems, etc.

DMZ server network Internal server network TrusGuard (SSL)

(50)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Implementation Case: 00 Newspaper (Firewall + IPS)

Internet

Image server Web server DB server TrusGuard (Firewall+IPS)

Web firewall

1) By simultaneously running firewall and IPS,

- large volume of harmful traffic targeting web servers and

DB server can be filtered.

ex) web vulnerability attack (SQL Injection/ XSS attack)

- large volume of harmful traffic in web servers are first

filtered,

which results in reducing the performance overloading in

web firewall in the back.

○ Improved security configuration

- Removed simple firewall and TrusGuard 1000 were

double-stacked.

- Simultaneous running of firewall + IPS

- Active- Active setting through L4 switch

○ Benefits

○ Weakness in old configuration

- Many vulnerabilities due to simple firewall configuration in gateway

- Performance issue in web firewall due to a large volume of

unfiltered incoming traffic in web firewall

L4 switch

(51)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Implementation Case: 000 Political Party (DDoS)

○ Weakness in old configuration

- Service error due to DDoS attack occurred.

- Firewall was down due to instant overloading of sessions.

- Vulnerable to various hackings, network attacks and malware that

bypass firewall policy.

(Web/Application vulnerability attack, Worm, Bot, Trojan, etc.)

Internet

Web server

○ Benefits

1) Effective prevention of DDoS

attacks

-

Normal working of firewall due to prevention of DDoS attacks

- Prevention of DDoS attacks like tcp-syn, icmp, tcp-ack flooding,

etc.

- Internal service availability was guaranteed due to normal

working of firewall.

2 ) Blocking of many malware or attacks that cannot be prevented

by

the

firewall

-

Worms, Bot, Trojan, Downloader, etc.

- Application vulnerability attack, DoS/ DDoS attack, etc.

3) Effective protection against attacks that exploit web

vulnerabilities

-

Web application vulnerability attack (SQL Injection, XSS, etc.)

OS/IE vulnerability attack, etc.

Web server C&C server Attacke r Zombies Control Control DDoS

○ Improved security configuration

- TrusGuard was deployed as an exclusive DDoS protection

appliance in front of firewall in Internet gateway.

(52)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Implementation Case: 00 Dotcom (VPN Network)

Server farm

Internet

TrusGuard Center TrusGuard _TrusGuard IDC Branch Headquarter IPSec VPN Tunnel

1) Security in branches was heightened to the level of HQ.

- Firewall, VPN, IPS, Anti-Virus, Contents Filtering, etc.

2) Blocks malware that coming through

traffic

in VPN tunnel.

-

Firewall policy application for VPN traffic &

detection/prevention of malware by IPS

3) Redundant configuration of security appliances in HQ through

High Availability (Active-Active, Active-Standby) setting

- Can set up redundant configuration without session synch

technique & L4 switch.

4) Secure VPN channel between HQ and branches

5) Flexible SSL VPN setting for telecommuting/mobile workers

○ Weakness in old configuration

- Because of simple VPN setting between HQ and branches that

provides encrypted communication method only, the malware infection

in data or unauthorized access could not be detected.

- Errors were frequent in IPSec VPN client in PCs of telecommuting

workers.

○ Benefits

Telecommuting/Mobile workers

SSL VPN Tunnel

○ Improved security configuration

- TrusGuard provided safe VPN channel between HQ and branches.

 Runs firewall + IPSec VPN + IPS function simultaneously.

- TrusGuard allowed safe VPN channel between HQ and

DataCenter.

- SSL VPN channel for telecommuting/mobile workers

(53)

마스터 제목 스타일 편집

마스터 부제목 스타일 편집

Implementation Case: 00 Gas Station (VPN Network) (1)

TrusGuard 50

Branch

Standby

Link Aggregation

Active

<Internet>

ATM(Integrated management) C2950 Trunk VPN Local network

Internet

TrusGuard 1000 TrusGuard 1000 TrusGuard 50

Branch

TrusGuard 50

Branch

TrusGuard 50

Branch

ㆍ

Integrated policy

setting

Center

D B

(54)

AhnLab TrusGuard Standard Proposal Eng

마스터 제목 스타일 편집

마스터 부제목 스타일 편집