Gateway Security at Stateful Inspection/Application Proxy

Gateway Security at

Stateful Inspection/Application Proxy

Michael Lai

Sales Engineer - Secure Computing Corporation

Agenda

ƒ Who is Secure Computing Corporation

ƒ Stateful Inspection vs Application Proxy

ƒ IPS on Application Proxy Firewall

ƒ Web Page Displacement

ƒ P2P/IM Control

Secure Computing Highlights

Who We Are

Who We Are

•

Public company (NASDAQ: SCUR); HQ is San Jose (USA), Worldwide

presence; 900+ employees

•

Largest independent enterprise gateway security company

•

Annual billings run rate ~$300M, profitable, strong cash generation

What We Do

What We Do

•

Singular focus on enterprise gateway to enable safe, secure and

productive use of open networks, including the Internet

•

Perimeter protection – most secure firewalls, Identity & Access

•

Comprehensive messaging & web gateway security

•

Inbound & Outbound protection: Block the bad and guard the good

Technology

Technology

•

145 Patents pending/granted

•

Unmatched protection with TrustedSource using global intelligence

•

Purpose-built gateway security appliances

•

Recognized leadership positions by Gartner and IDC

Customers

Customers

•

20,000+ Blue-chip customers in 106 countries.

Securing connections between people, applications, and networks™

Encryption

Anti-Virus

Anti-Malware

URL

Filtering

Compliance

Secure your

Messaging

Communication

Secure your Web

Communication

Application Gateway

Anti-Virus

Intrusions Encryption

Compliance

Anti-Spam

Enterprise Gateway Security

Integrated, Best-of-Breed Appliances

Two Kinds of Firewall

-

Network layer and packet filters (L4) :

-

Control based on IP and port

-

Stateful and stateless

-

Application-layer (L7):

Proxy Technology Vs. Packet Filtering

Only Trusted Proxies Talk to Your Servers!

Only Trusted Proxies Talk to Your Servers!

Stateful Inspection Compromises Security

Stateful Inspection Compromises Security

>

External clients NEVER DIRECTLY CONNECT

with the internal application servers

ƒ TWO SEPARATE CONNECTIONS are

maintained per client-server session

ƒ ONLY TRUSTED PROXY is allowed to talk

directly to the internal application servers

>

Stateful Inspection (SI) allows external clients a DIRECT

PACKET FLOW WITH SERVERS

ƒ SI is more like a router than a true firewall –

COMPROMISING SECURITY to gain performance

ƒ Helping unknown sources get direct connections with

Application Proxy Technology

HTTP Proxy

•

Layer 7 defenses

•

Full packet assembly

•

RFC compliance

•

Configured to

allowed use

•

All else denied

Scanning

Engines

Client

Web

Server

Untrusted

Untrusted

Trusted

TCP/IP Stack

TCP/IP Stack

App

Server

Oracle

SQL

Citrix

VoIP

Etc.

Server

ƒ ONLY Sidewinder’s trusted proxy

is allowed to talk directly to

internal application servers

ƒ Two separate connections are

maintained per client-server

session

ƒ Proxy securely processes

client requests to the server

ƒ Proxy automatically strips out

attacks trying to introduce

malicious commands that violate

RFCs

ƒ Proxy may be further configured

to tightly enforce a limited-use

policy for the application

ƒ Client-server communications

are configured to only allow

needed operations and denies

Proxy-Based Application Defenses

The power of the Positive Model of security

POSITIVE MODEL OF SECURITY

“Deny all methods of communicating with the

application unless the methods are explicitly

allowed.”

ƒ

Not just simple signature-based checks – that is the negative model of security (allow all traffic while

looking for the bad known in the traffic)

ƒ

Positive Model proxies have deep understanding of the applications they protect

ƒ

Proxy GUI treatment allows very granular control over how clients communicate with protected

applications

ƒ

Protecting applications this way stops zero-hour unknown attacks

•

Proxy configuration selections

define the only allowed

communications with the protected

applications!

Attack Containment & Control Analogy

ƒ

Master Control (Type Enforcement in the OS kernel)

ƒ Nothing happens on any file, directory or executable without real-time permission being

granted (Non by-passable)

ƒ

Compartmentalization of functions

ƒ Software applications running in secure compartments

ƒ Eliminates attack creep from one application to another

ƒ

Containment of attacks

ƒ If one software piece fails or is attacked, others keep running unaffected

ƒ

Authorization to board

ƒ No foreign software can launch on the system because it would lack Type Enforcement

(trojans, viruses, attack scripts, etc.)

Sendmail

Web

Open SSL SNMP

DNS Server

FTP

NTP

SQL

Telnet

VPN

Type Enforcement

IPS at Stateful Inspection Firewall

ƒ Usually, great performance drop if the IPS is turned on. For

example, from 2Gbps to 300Mbps

ƒ It is because the firewall cannot apply protocol

enforcement

ƒ The firewall has no ability to recognize the protocol or

ability to scan traffic selectively

Customized IPS for Different Attack

ƒ Sidewinder allows customized signature for each connection

ƒ Performance enhanced

S I P . S O F T S T O N E . R E X P L O I T " ; c o n t e n t : " |

Look for relevant

signature groups for

the service VoIP/SIP

and add to the rule

Select how you want

the firewall to respond

Signature groups are

provided so the firewall is

at maximum efficiency in

employing signatures only

for services and

connections you wish to

Secure The Passing Traffic

The firewall should have ability to handle

the traffic passing through it

-

Mac address (L2)

-

IP address (L3) and Port (L4)

-

VPN (L2 – L4)

-

IPS (L3 – L7)

-

Anti-Virus and Anti-Spam (L7)

-

Protocol anomaly detection and content control (L7)

-

Proxy function

Internet

Attack Demo - Identify the Victim

Attack Demo – Launch an Attack

Where can the Attacking Traffic be Stopped

-

By connection (L2 to L4)

-

Yes if you know where is source IP of the hacker

-

By connection behavior (L3 to L5)

-

No because it is not DOS or network probe and the connection is

same as from a normal user

-

By IPS (L3 – L7)

-

Yes provided that the IPS signature includes the particular code

such as “

cgi-bin/foo.bat?|dir+c:+>..\htdocs\dir.txt

” or “

cgi-

bin/foo.bat?|echo+HACKED+OWNED+BY+dr0ZZ+>>+..\htdocs\index2.html

”

-

By AV (L7)

-

No because the file passing through the firewall has text and

image only.

-

By Protocol (L7)

A Common Solution in HK

Secure your

Network Edge

Data &

Users

Internet

Central Management

1st Tier FW

1st Tier FW

IPS

2nd Tier FW

2nd Tier FW

IPS

-

L3/L4 FW cannot scan content

-

IPS is the only chance to block the attack

Solution From Secure Computing

Data &

Users

Internet

1st Tier FW

1st Tier FW

IPS

2nd Tier FW

2nd Tier FW

IPS

-

TrustedSource stops connection from suspicious IP

-

Two different IPS (Snort + SCC)

Blocked by Protocol Anomaly Detection

This is a sample of injection attack. The injected

Block by Protocol Enforcement

-

P2P/IM connection uses non-common port will be blocked by

default

-

Only P2P/IM uses port 80/443 can make connection

-

In Application Awareness firewall, port 80 and 443 can be

bound with HTTP and HTTPS respectively. No tunneling

-

Only P2P/IM uses port 80/443 with standard HTTP/HTTPS can

pass through

Block by Content Control

-

Application firewall allows you to control the content within

the protocol

-

Only P2P/IM cannot have identified type within the protocol can

pass through.

-

E.g MSN can be blocked by denying “x-msn-message” MIME

Block by URL Filtering

-

As the P2P/IM uses standard HTTP/HTTPS, a valid URL

should be found

-

All P2P/IM can be blocked provided that the URL control

database includes the URL/IP

The Leader in Proactive Protection

Atlanta

Brazil

London

Hong Kong

Portland

Internal

Network

Reputation

Query

Internet

Traffic

•

Feeds from thousands of load

balancers, FWs, Msg & Web

gateways

•

Highest quality data

•

Over 100 Billion

Messages/month

•

Millions of URLs

•

25 research scientists

•

Sophisticated behavior

analysis

•

450,000+ zombies detected

each day

•

Best image spam detection

Largest

Reputation Network

Most Reliable

Reputation Score

Be Proactive

Be Proactive in Protecting From Next Generation Threats

Work with the clear leader in this business!

In the Future

-

In the future, all incoming connection will

have the TrustedSource screened.

-

Only trusted IP can make connection to

Sidewinder or Snapgear.

-

The risk of making connection from a hacker

A Sample Hacked Site

Client Protected by TrustedSource

ƒ It may be the

hacked site and

the final script

hosting site

ƒ AV/IPS can stop

the known attack

ƒ Content control

Server Protected by Sidewinder

ƒ Trusted Source protected the server from dangerous client

such as zombie

ƒ App proxy can apply URL control to stop injection attack and

deny SOAP