Thangns

Agenda
SECURITY OVERVIEW
TYPES OF ATTACK
SECURITY BLUEPRINT
FIREWALL AND IDS
ANTIVIRUS SYSTEM
SECURITY SCANNER SYSTEM
SECURITY CENTRAL MANAGEMENT SYSTEM
IDENTITY
SECURITY DESIGN SOLUTION FOR
EXIMBANK

SECURITY OVERVIEW

What is Network Security?

A process, not a product

An integrated system
Network security requires defense in depth, which
includes:

Firewalls and router access control lists (ACLs)

Network- and host-based intrusion detection systems
(NIDS and HIDS)
Scanners
Centralized security and policy management
Authentication, authorization, and accounting (AAA),
access control servers, and certificate authorities
Encryption and virtual private networks (VPNs)

Why Integrated Network Security?

Everything is a target
Routers, switches, hosts, networks, applications,
information, management tools
New breed of network attacks have multiple vectors
that cannot be blocked by one device
Network security requires an integrated system
Layers of security are required
Embedded security throughout the network
Integrated security in network devices
Network management and reporting must be secure

Network Security Evolution

From Detection to Protection

Operational capability

Future

Adaptive networks
- Self-managing, self-healing
- Security-aware networks

Today
Protection
Protection from threats
- Comprehensive, integrated solutions

1995

1985

Detection
Detection of threats
- Reactive point products, some automation

Block and hide

- Manual, crypto solves all

Applications to services and complexity of network security

INTELLIGENCE & THREAT COVERAGE

Network Security Must Evolve

Email Spam
Complete
Content
Protection

Inappropriate
Web Content
Worms
Trojans

Deep
Packet
Inspection

Simple
intrusions

Stateful
Inspection

1990

1995

Viruses
Sophisticated
Intrusions
Denial of
Service Attacks

2000

2005

Security Threats
On the rise, more dangerous, easier to launch
Number of
Intrusions
Packet Forging/
Spoofing
Stealth
Diagnostics
DDOS
Sweepers
Back
Sniffers
Doors

25000
20000
Exploiting Known
Vulnerabilities

15000
10000

Sophistic
ation
of hacker
tools

Self Replicating
Code

Disabling
Audits

Password
Cracking

5000

Technical
knowledge
required of
hacker

Password
Guessing

0
1988

1990

1992

1994

1996

1998

2000

Source: CERT, Carnegie Mellon University

Microsoft Security Bulletins for June 2004

Service Name

Port Number

30 day history

Explanation

epmap

135

DCE endpoint resolution

nterm

1026

remote_login network_terminal

icq

1027

icq instant messanger

ms-sql-m

1434

Microsoft-SQL-Monitor

netbios-ns

137

NETBIOS Name Service

microsoft-ds

445

Win2k+ Server Message Block

dabber

9898

[trojan] Dabber Worm backdoor

sasser-ftp

5554

[trojan] Sasser Worm FTP Server

mydoom

3127

W32/MyDoom, W32.Novarg.A backdoor

netbios-ssn

139

NETBIOS Session Service

Source: The SANS Institute

Last update June 08, 2004 21:43 pm GMT

TYPES OF ATTACK

Attack the listeners

Exploit bugs and misconfigurations

Buffer Overflow
Spoof the Client

Attack the Stack

Packet Mangling

Oversize, Fragmentation

Flooding

Who might attack you?

Hackers

A few talented people provide tools for

thousands of kids
rootshell.com, insecure.org contain hundreds
of tools
Opportunity targets

Customers

Themselves
Through stolen/guessed passwords

Who might attack you? (2)

Insiders

Through malice
Carelessness
Overwork

Competitors

Denial of Service attacks make you look bad

Customer lists for marketing

How Outsiders Attack

Look for known weaknesses

Misconfigured Software
Lots of sw has more secure configuration
which is not turned on out of the box
Outdated software with known problems
Bad passwords

How outsiders attack (2)

Scanning tools (SATAN, sscan)

Exploit tools

Make finding problems easy

Make taking advantage of problems easy

Stealth tools

Make erasing logs easy

How insiders attack

Exactly the same as outsiders

Except that they are more effective

SECURITY BLUEPRINT

The Security Wheel

Secure
Firewall, Encryption, Authentication

Manage and Improve

Network Operations and
Security Professionals

Corporate
Security
Policy

Monitor and Respond

Real-Time
Intrusion
Detection
Audit/Test

Proactive Network
Vulnerability Assessment

Deploy Security as an Integrated System

Extended perimeter security

Intrusion protection

Surveillance and alarms

Secured doors and vaults
Firewalls and router ACLs

Network- and host-based

intrusion detection

Intrusion protection

Patrolling security guard

Scanner

II

Security management and policy

Identity services

Card readers
Security room CCTV

Centralized security and

policy management

Identity, AAA, access

control servers, and
certificate authorities

Secure connectivity

Secure transport

Encryption and virtual

private networks (VPNs)

FIREWALL

The types of Firewall

Dedicated Firewall Appliance

Cisco PIX Firewall

CrossBeam Security Service Switch

Application Firewall

CheckPoint Software

Microsoft ISA Server

The types of Firewall

Stateless Firewall

Stateful Firewall

PIX Firewall Topology

Internet
Outside Network
Java
ActiveX

URL
Block

Proxy
Server

WWW

DNS

Email

Perimeter Networks

Inside Network
Cisco
Secure

NT
RAS

Cisco PIX Firewall 525

Supports up to eight 10/100 Fast Ethernet interfaces or three Gigabit

Ethernet interfaces
More than 330 Mbps of firewall throughput
Handle more than 280,000 simultaneous sessions
High-availability services
Integrated hardware VPN acceleration
Up to 155 Mbps of Triple Data Encryption Standard (3DES) VPN
throughput
170 Mbps of Advanced Encryption Standard-256 (AES) VPN
throughput

CheckPoint Express

SmartCenter SmartDashboard

Crossbeam Security Service Switch C30

Support 16 10/100 Ethernet interfaces and 2 fiber or copper Gigabit

Ethernet interfaces
High speed Ethernet backplane with stack ports to guarantee high
bandwidth between the Network Interface Module and Application Module
02 Gbps of firewall throughput
02 10/100 management ports
Broadcom BCM 1250 Network Processor and Pentium III 1.26 GHz

Accelerated, Integrated
Depth-of-Defense

Intrusion Detection Systems

Intrusion Detection Systems

Anomaly vs. Signature Detection

Anomaly detection: Define normal, authorized activity, and

consider everything else to be potential malicious

Misuse/signature detection: Explicitly define what activity

should be considered malicious

Most commercial IDS products are signature- based

Host vs. Network-Based

Host- based: Agent software monitoring activity on hosts

Network-based: Collects and analyzes data from the

network

IDS Sensor Placement

Security Sensor

Engineering

Finance
Security Sensor

Web Server

Email Server

Security Sensor
Corporate
Network
Router

Hacker
Inside

Pix Firewall

Network
Operation Center

Router

Internet
Encrypted VPN
Service
Provider

Security Sensor

Alert
IDS Director

Remote
Office

31

ANTIVIRUS SYSTEM

Computer Virus Damage

2000:
$12.1 billion

$17.5
Billion

1999:

Melissa:
$385m

ILOVEYOU:
$6.7 billion
Annual Estimated Costs

Need an effective way to protect

your corporate assets
Sources: Total cost 1999: $12.1B, Computer Economics; Melissa various sources
Total cost 2000: $1.5 T, Information Week Research fielded
w/PricewaterhouseCoopers ; 10 billion, Computer Economics

E-mail is now the biggest virus threat!

87% of
viruses come
from email!

*Source: ICSA
(International Computer
Security Association)
Computer Virus
Prevalence Survey 2000

Firewalls functions

Firewall

1. Authentication
2. Permission Check

STOP!

Stop illegal entry

What firewall can not do

How can you
find the bomb?

FireWall doesnt check contents

Stop malicious code at the gateway

Firewall

Interscan Viruswall

STOP!

SECURITY SCANNER
SYSTEM

ISS Internet Scanner

Automated network vulnerability assessment across

servers, desktops, and infrastructure devices.

Integration with Enterprise Protection Platform for

distributed vulnerability assessment and IDS/IPS
correlation.

X-Force Security Intelligence

ISS Database Scanner

Identifying security exposures in leading database

applications.

Run independently of the database and quickly generates

detailed reports with all the information needed to correctly
configure and secure databases.

Automated Penetration Testing

SECURITY CENTRAL
MANAGEMENT SYSTEM

Solsoft Security Designer

Security Policy Definition by drag-and-drop of rules and objects

instead of manual, complex coding.

Visual, object-oriented interface for creating firewall, firewall

clusters, anti-spoofing, NAT, and VPN policies.

Importing of existing maps, objects and policies

Single security management application for all network security

devices (switches, routers, firewalls, VPNs)

Class and Meta Class definitions

Security review on any network object

Solsoft Policy Server

Policy Based Management

Firewall and configuration including PKI and Pre-shared key

support

Support for cluster configurations

Automatic validation and deployment of security rules

Policy versioning

Strong Auditing capabilities

Simple import and migration between devices of different brands

including import from HP OpenView NAT rules generation

IPsec VPN

Solsoft Policy Server (Cont)

Centralized repository

User roles, privileges and workflow management

Support for all major security device vendors including Cisco,

Check Point Systems, NetScreen and Nortel Networks as well as a
number of challengers

Compatibility and interoperability with other network management

systems

IPsec VPN

Solsoft Policy Server (Cont)

Solsoft offers a true open platform for multi-vendor
and multi-product support.

IDENTITY

The Expanding Access Environment

What is AAA?
AUTHENTICATION Who is allowed access?

AUTHORIZATION What are they allowed to do?

ACCOUNTING What did they do?

Cisco Access Control Server (ACS)

Cisco Secure ACS GUI

Putting All Together:

THE SECURITY
DESIGN SOLUTION
FOR EXIMBANK

Router 3620 with IOS

Firewall

Router 3620 with IOS

Firewall

H NI

Router 3620

NNG

CN TH

VP

VP

VPN

PIX Firewall 525

Catalyst 4003

VPN

Router 3620 with IOS

Firewall

2 x Router 3640

CrossBeam
Firewall X45

IDS 4235
Server

Storage

VP

DATABASE SERVER & STORAGE MODULE

Web Cache
CA Server

Aplication Server
MANAGEMENT MODULE

Security Scanner

Central Management
Server

CH LN

URL filter and Antivirus Module

APPLICATION SERVER MODULE

Mail Server

VPN

Database
Server

Web Server

WEB Sense

Antivirus
Server

Mail Relay

Proxy

Router 3620 with IOS

Firewall

HA BNH

DMZ Module

HI S

FUTURE PLAN

How Is TRUST Achieved?

A handshake
meant trust.
But now in an e-Business world...
How do you build
an infrastructure
of trust?

Two-Factor Authentication

Applications in Healthcare
E-Business

Internet
Access

RSA
ACE/Server
RSA
Agent

Internet

Web Server

Mainframe

VPN or
Firewall

Enterprise
Intranet

RAS

RSA
Agent

Remote Access

Applications
&
Resources
Enterprise
Access

Unix

The Expanding RSA SecurID Family

RSA SecurID hardware

tokens

RSA SecurID software tokens

RSA SecurID smart cards

RSA SecurID for the Palm

Computing Platform

Instrustion Prevention System

Assure the availability and security of desktops, application

servers, and web service engines
Real-time detection and prevention of network intrusions
against networks
Intelligent attack detection
Identifying threats to business and blocking them

One Effort Looking Inside the Noise

Network Activity
Example
Overall Activity
Approx 2.5
Gbytes/day

Noise - Below the Radar

CiscoWorks Security Information

Management Solution (CW SIMS)

Provides:

Complete Event Monitoring for SAFE

Real-time Event Correlation

Advanced Visualization

Integrated Threat Assessment

Comprehensive Reporting & Forensics

netForensics is a Primary Component of CW SIMS

netForensics SIM Technology

Powerful and flexible 3-Tier architecture
scales to any enterprise size

All netForensics components are fully

distributable from one server to many

Console for Centralized configuration,

reporting & maintenance of software

Agents Perform Event Collection &

Normalization

Engines Aggregate & Correlate Events

Integrated database facilitates

reporting, auditing & analysis

Master Engine supports Visualization

of Correlated Events