• No results found

White paper. Cyberoam. Cyberoam s Layer 8 Technology Protecting the weakest link in your security chain the USER!

N/A
N/A
Protected

Academic year: 2021

Share "White paper. Cyberoam. Cyberoam s Layer 8 Technology Protecting the weakest link in your security chain the USER!"

Copied!
7
0
0

Loading.... (view fulltext now)

Full text

(1)

Cyberoam

White paper

Cyberoam’s Layer 8 Technology

Protecting the weakest link in

your security chain – the USER!

(2)

Cyberoam's exclusive Layer 8 technology which treats user

identity as the 8th Layer or the human layer in the network

protocol stack, enabling organizations to overcome the

limitations of conventional UTMs/firewalls which bind security

to IP addresses alone. By implementing Layer 8 security in their

networks, administrators can gain real-time visibility into the

online activity of users while creating security policies based on

their usernames.

Introduction

Imagine an Internet without the facility of domain name servers (DNS) - would you rather keep count of the thousands of machine-readable, numeric IP addresses (192.168.8.1, etc.), or simply recall your favorite domain name: yahoo.com, facebook.com, etc?

Now, think about the frustrations of a typical network administrator whose duties include reviewing logs generated by the web and mail activity of several hundred users, retrieving each and every computer name by its unique IP address and managing multiple user accounts.

The problem is further compounded by a shared, and dynamically-changing computing environment where administrators have to regularly update Internet access privileges for changing user scenarios: new joinees, leavers, employees in new roles. Furthermore, in dynamic DHCP and Wi-Fi environments, users can often cover their tracks by hiding behind the common IP address or machine to visit inappropriate websites, videos, infected files and more. In the absence of user-centric logs and reports, it is impossible to keep track on which user opened a specific website or application at a particular time.

It may get worse due to the rise of insider threats at the database level. Data demands of various users, poor access controls and excess permissions leave systems vulnerable to malicious internal users, especially the ones with technical knowledge of the database systems. Without being traced, they can exploit scripts, programs, toolkits, IP spoofing or unauthorized backdoor accounts, which can lead to full-blown database disclosures.

(3)

The User: the Weakest Security Link in an

Organization

As per the traditional perimeter model of security, organizations would be more concerned about outside-in threats where firewalls, IDP etc. detect common phishing frauds, hackers and more. Currently, following such an approach neglects the most critical and weak security component: the human element. In an inside-out threat scenario, human users, either out of sheer ignorance or malicious intent, can become the weakest link in the security chain. As mentioned previously, shared computing environments such as the multiple user-per machine setting are conducive for viruses, Trojans, worms etc. to propagate unchecked in the networks. They also encourage users to freely surf prohibited sites e.g. pornography, proxies etc. by hiding behind the IP address or someone else's machine.

Many security architects would admit that their networks often resemble what is known as "Coconut security": hard on the outside, soft in the inside. All the protection and security resources are directed towards the perimeter, trying to keep the bad guy disarmed. However, the soft inside is what the attackers are really after and the security solution is ultimately about getting to the crux of it all i.e. knowing the insider threat source for instantaneous action against security breaches.

For instance, many employees use instant messengers, webmail attachments and social networking sites without authorization which can create avenues for malware and data leakage. In another scenario, heavy downloading and online gaming by some users can take its toll on network performance as these are bandwidth-eating applications. Sometimes, even a single user can bring the entire network to a crawl as it gets flooded with unnecessary traffic.

The problem gets more serious with malicious insiders. For instance, if a competitor had to gather information about an organization's trade secrets, what would be easier - employing the services of a hacker, or simply targeting an internal employee with access to the organization's confidential information?

A study by Ponemon Institute found that 59% of employees who either quit or are asked to leave take confidential or sensitive business information upon their departure. There are many reasons such users like to hurt the company; it could be a feeling of resentment due to an overlooked promotion or salary raise, or just the desire to use existing knowledge gained in the company with a new employer.

In August 2009, DuPont filed a lawsuit against a research scientist for breach of contract and misappropriation of trade secrets for stealing a large number of files. Earlier, another DuPont research scientist was sentenced to prison for 18 months.

An ex-employee casually sends a chat message on Yahoo messenger, a standard mode of communication in an organization, asking ex-colleagues to look into his new photos hosted on an unknown URL. The unsuspecting ex-colleagues click on the link which prompts them to enter their Yahoo log-in IDs and passwords. Unknown to them, the log-in information is now captured by the ex-employee. In this way, he has a good repository of corporate passwords. The attacker now has the ability to log on into Yahoo! anytime, under the disguise of his former colleagues, misguide customers and put the organization at risk.

Some of these attackers use social engineering tactics, where they use persuasion skills on the target victims to create gaping security holes in the network.

(4)

Cyberoam Layer 8 (Human Layer) technology;

Security built around the User's Identity

Most organizations have learned to live with the fact that user online behavior is always unpredictable and there's nothing much that can be done no matter how strict the Internet access policies are made. This limitation can be attributed to existing firewalls/UTMs which are based on the association of the source IP address and the destination IP address with no visibility into source of attacks the user. They are unable to apply user-specific rules to allow multiple machines to share a single IP address. According to these systems, the user's identity is not part of the rule matching criteria considered by the firewall.

Accordingly, Cyberoam's Layer 8 concept was derived out of the need for a more robust network security system capable of considering a user's identity as part of the firewall rule matching criteria. It treats user-identity as the 8th Layer or the HUMAN layer in the network protocol stack (see below figure), thus, attaching user identity to security while

authenticating, authorizing and auditing the network. This takes

organizations a step ahead of conventional security appliances which bind security to IP-addresses.

Using Layer 8, the administrator is able to create a permanent profile for the user which makes all future authentication possible based on identity-based decision parameters such as username, IP address, MAC address and session ID. The profile is specific to the user and does not ever change no matter what machine he/she operates from in the organization.

Once authenticated, the user may be authorized by the administrator users to gain access to the Internet based on various usage parameters including access time, Internet quota, security policies, web filtering, Application controls, bandwidth restrictions and instant messenger controls. Finally, audit logs and reports including identity information

User Identity-based Security Policy Controls

Cyberoam network security appliances (UTM, Next Generation Firewalls) offer security across Layer 2-Layer 8 using Identity-based policies

Cyberoam's Layer 8 Technology treats “User Identity” as the 8th Layer in the protocol stack

Application Presentation Session Transport Network Data Link Physical USER L7

L8

L6 L5 L4 L3 L2 L1

00-17-BB-8C-E3-E7 192.168.1.1

TCP, UDP L2TP, PPTP ASCII, EBCDIC, ICA

“Cyberoam's Layer 8 security system

treats user-identity as the 8th Layer or

the HUMAN layer in the network

protocol stack, thus, attaching user

identity to security. This takes

organizations a step ahead of

conventional security appliances

which bind security to IP-addresses.”

(5)

Practical implications of Layer 8

Implementing Layer 8 in their networks enable organizations to align their security decisions based on the actual human identities of users instead of IP addresses alone. This translates into a proactive security approach (instead of a reactive one) where security administrators are able to plan ahead, think through what security issues may come up in the future, and successfully make front end efforts to prevent surprise insider attacks. In view of that, a Layer 8-enabled organization is more capable of foreseeing what it coming down the road, and where the attackers are coming from.

Measuring User Threat Quotient (UTQ): In an era of fluidity of network perimeters where employees, customers and partners require access to different levels of sensitive business information, administrators feel the constant need to review the changing threat scenario posed by various users. This is done by measuring their user threat quotient (UTQ). In making the administrator task easy, Layer 8 involves identity-based heuristics.

Once, the required information is gathered, administrators can calculate the UTQ by rating various users based on various parameters. For example, the susceptibility of users to attacks may be ascertained by their employee status whenever there's a new joinee or a terminated/expelled employee, the threat incidence will become more pronounced because administrators notice deviations from normal acceptable user behavior. Administrators would also be interested in analyzing “who is doing what and when” in the network. This would furnish details such as usage of anonymous proxies, downloading hacking tools, accessing data off-hours, and the total amount of data downloaded. Any malicious activity by users would automatically raise the red flag because the administrator would have the entire context of his/her activity repeat wrong password attempts, intrusion/hacking attempt alerts and more. It also enables individualized education for the end user.

Adding speed to security: Organizations often go to great lengths in securing their physical infrastructure. They may store highly sensitive information in a special computer room, lock server areas, deploy CCTV cameras and anti-theft alarms and restrict contact access of employees to different departments/zones of a building.

What if it were possible to build in similar levels of protection to prevent information theft Layer 8 protects corporate data and servers from unauthorized outside access while granularly preventing chosen internal users from accessing LAN-residing sensitive data such as customer records, tenders and contracts, internal files and applications and more. Since, access control policies can be configured directly based on username rather than through IP addresses alone, administrators can take faster decisions on preventing unauthorized entities (outsiders, malicious insiders etc.) from breaching past the company's perimeter. This automatically adds speed to security.

Who is doing what?

Who is the attacker?

Who are the likely targets?

Which applications are prone

to attack – who accesses them?

Who inside the organization is

opening up the network? How?

(6)

Cyberoam’s integrated security built around Layer 8:

Cyberoam has incorporated the Layer 8 security paradigm in its Next Generation Firewall (NGFW). The Layer 8 design penetrates through each and every security module of these appliance and enables administrators to apply security, connectivity and productivity policies on users.

User

Layer 8 Security appliance individual users

Firewall

Wireless WLAN Security

Cyberoam iView Logging and Reporting

Intrusion Prevention System

! Embed user identity in rule-matching criteria

! Role-based administration

! Granular IM, P2P & Applications control

! Prevent IP spoofing attacks

! VLAN support: work & profile-based groups

! Identity-based IPS policies for users and groups

! Identity-based alerts and reports

! Prevent user-targeted blended threats, backdoors etc

! Segmented network for employees and guests

! No common pre-shared keys: prevent information theft

! Layer 8 authentication and identity-based reports

! Intrusion events and policy violations

! Identity-based reporting: “who is doing what”

! Web surfing trends and search reports

! Top unproductive sites and users

! Virus and intrusions reporting

Bandwidth Management

! Committed bandwidth for regular users

! Traffic routing based on user needs for assured QoS

! Establish priorities based on users, categories, applications

! Time-based bandwidth allocation for users

Application Layer 7 Visibility and Controls

! Visibility and controls on applications' usage by users

! Organization-wide application access policies for individual users

!User hierarchy-based applications access control

Instant Messenger controls

! Prevent employees from idle chat

! Block file transfers, webcams, video

! Restrict who can chat with whom

! IM audit logs to study user behavior

! Keyword-based content filtering on chat window

Content Filtering

! Policies on users, groups, departments, hierarchy

! Block users from malware-laden sites

! Blocking IM, P2P applications & proxies

(7)

The Cyberoam identity-based firewall offers an interface for achieving unified security allowing rules for all features to be configured and managed from the firewall page with complete ease. Layer 8 binds the security features to create a single, consolidated security unit and enabling the administrator to change security policies dynamically while accounting for user movement joiner, leaver, rise in hierarchy etc.

Through the Cyberoam Intrusion Prevention System, Layer 8 identity-based policies can be applied for users as well as user groups. Identity-based alerts and reports are generated everytime DoS/DDoS attacks, malicious code transmission, backdoor activity, blended threats occur due to user activities. Cyberoam's identity-based reporting module, Cyberoam iView, pinpoints precise network activity for each and every user. The iView dashboard shows all network attacks on a single screen with third level drill-down reports (1000+ reports) for investigating the attacks, and the users behind them.

Cyberoam's identity-based content-filtering feature streamlines the management of corporate Internet access by monitors Internet traffic generated by each user, the time one spends on Internet resources and allows setting access limitations based on time and day of the week. In addition, Cyberoam network security appliances offer a user, time and role-based bandwidth management approach which ensures users consuming huge amounts of bandwidth for non-productive work are prevented at the time of policy-making. Cyberoam Instant Messaging Controls with Layer 8 identity-based approach keeps productivity under check by allowing administrators to control who can chat with whom over all communication mediums like text chat, webcam, file transfer.

Layer 8 across Cyberoam’s entire Security Portfolio

Wireless WLAN security : Cyberoam network security appliances offers high performance, Layer 8-based security over WLAN networks in order to secure wireless networks to the same extent as wired networks. Cyberoam offers strong user authentication, Internet access controls and reports with identity-based approach and offers separate Guest and Employee Network Access. With this, it has the ability to trace user specific activities while reducing the risk of information theft and liability of cyber terrorism attacks.

Meeting regulatory compliance norms : Given the magnitude of threats to employee, customer, and corporate data, compliance regulations such as HIPAA, GLBA, SOX, PCI DSS, and more are forcing organizations to undertake security measures that control the access and activity of users. Faced with penalties in the case of non-compliance with regulations and loss of reputation in the case of data loss, organizations are under growing pressure to implement compliance measures within their network premises.

Cyberoam Product Portfolio

Virtual Security Appliances Cyberoam Central Console (CCC) CR iView (Logging & Reporting) CR NG series NGFWs

CR NG series UTMs

Cyberoam Awards & Certifications

C o p y r i g h t © 1999-2014 Cyberoam Te c h n o l o g i e s Pvt. L t d. A l l R i g h t s R e s e r v e d . Cyberoam &

www.check-mark.com CERTIFIED VPNC Interop Basic AES Interop CERTIFIED VPNC SSL Advanced Network Extension SSL Basic Network Extension SSL JavaScript SSL Firefox SSL Exchange SSL Portal PRO

PC

RECOMMENDED RECOMMENDS BEST BUY EDITOR’S

C H O I C E

References

Related documents

Findings did not indicate a significant difference in the proportion of the variance in terrorist incidents that was predictable from political stability in the DRC and

Patient cable PK-83-B for single-chamber pacing with two screw terminals for temporary leads on the patient side and Redel plug on the Reocor side (use Redel adapter).

o Students may be awarded up to $800 per semester (fall and spring), not to exceed the cost of the number of credit hours for which the student is actually enrolled. Recruiting

comfortable sensation in your hands, and if you feel them you think, "Of course I notice them." If you don't feel them you think, "Maybe I'm just not

1 pcs 1.907.0010 907 Titrando High­end titrator for use with intelligent electrodes – iTrodes – with

One caveat must be noted: astronomical datasets are produced by complex instruments which need to be fully understood by anyone carrying out the basic data reduction stages and

The research identified policy consistency (a.k.a. “visibility”), financial stability, and global trade issues including insufficient protections for intellectual property,

from a single offer to just two offers provide parties with such flexibility that there are