ips-secured networks. tippingpoint’s business tippingpoint provides ips-secured networks that...
TRANSCRIPT
IPS-Secured Networks
TippingPoint’s Business
TippingPoint provides IPS-Secured Networksthat protect
network and application infrastructure,
applications and critical data
from
known / unknown, directed / non-directed attacks
in a manner that preserves
existing infrastructure,
best-of-breed freedom of choice,
and lowest total cost of security ownership
TippingPoint provides IPS-Secured Networksthat protect
network and application infrastructure,
applications and critical data
from
known / unknown, directed / non-directed attacks
in a manner that preserves
existing infrastructure,
best-of-breed freedom of choice,
and lowest total cost of security ownership
Leading Enterprise Network Security Issues
CERT Vulnerabilities
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
4,129
2,437
1,090
417
5990
7994 (est.)
150/week!150/week!CERT Vulnerabilities
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
4,129
2,437
1,090
417
5990
7994 (est.)
150/week!150/week!
CERT: Carnegie Mellon University's Computer Emergency Response Team
Inability to stop malicious traffic from entering the networkInability to stop malicious traffic from entering the network
Lack of control over who and what accesses the networkLack of control over who and what accesses the network
Cannot prevent critical data from leaving the networkCannot prevent critical data from leaving the network
Business Productivity Advancements…Business Productivity Advancements… Have Created Unacceptable Business RisksHave Created Unacceptable Business Risks
Network
• Device proliferation– PCs, iPoDs, PDAs, phones, etc. – all
networked– All are targets for attack – All are conduits for attack
• Blurring of consumer / business devices / applications
– Synching iPod to laptop introduces iPod vulnerabilities to the enterprise
• Mobility– Users move devices in / out of
enterprise network– Effectively eliminates any physical
boundary • Integrated IP voice, data and video
networks– Big B/W– Video proliferation with new attack
vectors– Web 2.0, Google, eBay, Yahoo will lead
in pushing these limits, but enterprises will follow
• Device proliferation– PCs, iPoDs, PDAs, phones, etc. – all
networked– All are targets for attack – All are conduits for attack
• Blurring of consumer / business devices / applications
– Synching iPod to laptop introduces iPod vulnerabilities to the enterprise
• Mobility– Users move devices in / out of
enterprise network– Effectively eliminates any physical
boundary • Integrated IP voice, data and video
networks– Big B/W– Video proliferation with new attack
vectors– Web 2.0, Google, eBay, Yahoo will lead
in pushing these limits, but enterprises will follow
• What can attack my network?
• How do I stay on top of the ever changing threat landscape?
• Where is my network vulnerable?
• What devices and users are on my network?
• What application traffic and protocols are running on my network?
• When and where are they trying to come in?
• What can attack my network?
• How do I stay on top of the ever changing threat landscape?
• Where is my network vulnerable?
• What devices and users are on my network?
• What application traffic and protocols are running on my network?
• When and where are they trying to come in?
Visibility /Classification
Visibility /Classification
Policy DesignPolicy Design
Enterprise Network Security Solution Needs
• Do I want to block, alert, or quarantine on malicious or unwanted traffic?• Do I want to allow a given user / device pair on my network or not?• Should I allow certain applications to be used by a given constituent?• Should I allow a particular piece of information to leave my network?
• Do I want to block, alert, or quarantine on malicious or unwanted traffic?• Do I want to allow a given user / device pair on my network or not?• Should I allow certain applications to be used by a given constituent?• Should I allow a particular piece of information to leave my network?
• How do I prevent users, devices, flows, or content from violating policy?
• How do I do this at the Gbps speeds of my internal network?
• How do I ensure accuracy / latency so my business is not impeded?
• How do I prevent users, devices, flows, or content from violating policy?
• How do I do this at the Gbps speeds of my internal network?
• How do I ensure accuracy / latency so my business is not impeded?
• How do I know my security policies are working?• How can I prove internal & external compliance?• How can I perform forensic analyses?
• How do I know my security policies are working?• How can I prove internal & external compliance?• How can I perform forensic analyses?
User Device
FlowContent
EnforcementEnforcement
ReportingReporting
Application Infrastructure
Network Infrastructure
Protocol & Applications
Data DBDB
Step 1: Stop Malicious Traffic
Wo
rms
Rec
on
nai
ssan
ce
Ro
otk
its
Den
ial
of
Ser
vice
Sp
ywar
e
Iden
tity
Th
eft
Bo
ts
Known / Unknown, Directed / Non-Directed AttacksKnown / Unknown, Directed / Non-Directed Attacks
IPS Blocks AttacksIPS Blocks Attacks
Switches Routers Firewalls
Servers
P2P IM VoIP SCADABus
Apps
Unstructured
Traffic Filters
• Policy managementPolicy management
• Block AttacksBlock Attacks
• Quarantine EndpointsQuarantine Endpoints
• Throttle P2P DownloadsThrottle P2P Downloads
• Block P2P UploadsBlock P2P Uploads
• Compliance ReportingCompliance Reporting
• Policy managementPolicy management
• Block AttacksBlock Attacks
• Quarantine EndpointsQuarantine Endpoints
• Throttle P2P DownloadsThrottle P2P Downloads
• Block P2P UploadsBlock P2P Uploads
• Compliance ReportingCompliance Reporting
How We Stop Malicious Traffic – IPS Heritage
Simple idea…• Transparent, bump-in-the-wire device• Classify traffic and take action based on policy
Simple idea…• Transparent, bump-in-the-wire device• Classify traffic and take action based on policy
• Comprehensive protectionComprehensive protection
• Thousands of vulnerability, Thousands of vulnerability, signature, and anomaly signature, and anomaly filtersfilters
• Application & InfrastructureApplication & Infrastructure
• Worms, Viruses, Trojans, Worms, Viruses, Trojans, Spyware, Phishing, DDoS, Spyware, Phishing, DDoS, VoIPVoIP
• Control unwanted trafficControl unwanted traffic
• P2P, IM, Unauthorized AppsP2P, IM, Unauthorized Apps
• High accuracyHigh accuracy
• No false positivesNo false positives
• Automated, evergreenAutomated, evergreen
• Automated deliveryAutomated delivery
• Rapid filter developmentRapid filter development
• Bi-Weekly updatesBi-Weekly updates
• Comprehensive protectionComprehensive protection
• Thousands of vulnerability, Thousands of vulnerability, signature, and anomaly signature, and anomaly filtersfilters
• Application & InfrastructureApplication & Infrastructure
• Worms, Viruses, Trojans, Worms, Viruses, Trojans, Spyware, Phishing, DDoS, Spyware, Phishing, DDoS, VoIPVoIP
• Control unwanted trafficControl unwanted traffic
• P2P, IM, Unauthorized AppsP2P, IM, Unauthorized Apps
• High accuracyHigh accuracy
• No false positivesNo false positives
• Automated, evergreenAutomated, evergreen
• Automated deliveryAutomated delivery
• Rapid filter developmentRapid filter development
• Bi-Weekly updatesBi-Weekly updates
• In-line device cannot In-line device cannot disrupt network / disrupt network / businessbusiness
• High performanceHigh performance
• Transparent to Transparent to networknetwork
• No impact on No impact on application application performanceperformance
• High reliabilityHigh reliability
• In-line device cannot In-line device cannot disrupt network / disrupt network / businessbusiness
• High performanceHigh performance
• Transparent to Transparent to networknetwork
• No impact on No impact on application application performanceperformance
• High reliabilityHigh reliability
Enterprise IPS Product Line- Core, WAN Perimeter, Data Center & ROBO Coverage- Digital Vaccine® & TippingPoint O/S Span Entire Line
Perimeter
Internet
(1.5Mbps – 100Mbps)
IPS Deployment
10Mbps – 1Gbps 1Gbps – 10Gbps 1Gbps – 10Gbps nx1Gbps – nx10Gbps
DMZ
AggregationAccess
VPN
Data Center
Shared StorageShared Tape
Windows & Linux Blades
CoreCore Protect WAN Perimeter
Protect WAN Perimeter
Protect E-Commerce
Protect E-Commerce
Protect Business Applications & Data
Protect Business Applications & Data
Protect Core Network
Protect Core Network
Protect Major Zones
Protect Major Zones
Protect Remote Offices
Protect Remote Offices
Network Traffic and Application
Visibility
• Automated capture of network traffic
• Source / Dest IP data correlated with protocols and applications
• Application and device finger-printing
Cutting Edge Security Intelligence
External Research• Vulnerability incentive program• 500+ registered researchers• Best zero-day protection • Responsible disclosure• Advance notice to other security vendors• Security community recognition without negative
repercussions
Internal Research• Vulnerability tracking & research• Vaccine development• Vaccine testing guards against False Positives• Rapid, automated global delivery• 30+ world class security researchers• Unparalleled security & networking expertise
Global Threat Activity• Automated collection &
processing of global threat activity
• Logs & filter settings from production IPS’s in customer networks
• Experimental logs from global lighthouse IPS’s
• Blogs, reports, web page communication to customers
• Direct customer guidance on DV settings
IPS Leadership
ICSA Labs Results:Performance leadership for IPS
– Highest Throughput– Lowest Latency– 100% Filter Accuracy– Depth and Breadth of
coverage
ICSA Labs Results:Performance leadership for IPS
– Highest Throughput– Lowest Latency– 100% Filter Accuracy– Depth and Breadth of
coverage
ThroughputThroughputLoLo HiHi
LoLo
HiHi
Lat
ency
Lat
ency
(100 Mbps,441 µsecs)
(350 Mbps,398 µsecs)
(3 Gbps,81 µsecs)
Unparalleled Security Coverage– Greatest # of vulnerabilities covered– Fastest to protect customers– Leader in Microsoft coverage– TP Research Team + ZDI = Best of Breed
Unparalleled Security Coverage– Greatest # of vulnerabilities covered– Fastest to protect customers– Leader in Microsoft coverage– TP Research Team + ZDI = Best of Breed
2007 YTD Microsoft Vulnerability Coverage
Challenges
• Don’t know who / what is on network
• Don’t know health / compliance of all devices
• Can’t restrict device or user access
• Critical asset vulnerability / breaches
• Lack of internal / external compliance
• Mobile devices unprotected in the wild
Challenges
• Don’t know who / what is on network
• Don’t know health / compliance of all devices
• Can’t restrict device or user access
• Critical asset vulnerability / breaches
• Lack of internal / external compliance
• Mobile devices unprotected in the wild
Step 2: Control Who and What is Accessing the Network
Infrastructure,Application &Information
Assets
Infrastructure,Application &Information
Assets
Un-trusted BoundaryTraffic check only
Un-trusted BoundaryCredential Check only
Trusted DomainLimited user policies
Solution
• Subject all users, devices, traffic to:
• “Point in Time” device authentication / health check where applicable
• “Continuous” fine-grained flow and data classification
• Flexible policy enforcement
• Based on cost, time, user profile & risk to network
• Compliance Proof
• Comprehensive visibility, audit, and reporting
Solution
• Subject all users, devices, traffic to:
• “Point in Time” device authentication / health check where applicable
• “Continuous” fine-grained flow and data classification
• Flexible policy enforcement
• Based on cost, time, user profile & risk to network
• Compliance Proof
• Comprehensive visibility, audit, and reporting
Infrastructure,Application &Information
Assets
Infrastructure,Application &Information
Assets
NewUn-trustedBoundary
UnknownGuests
Contractors
Executive
Admin
MobileEmployee
Teleworker
Firewall
IPS/NAC
VPN
IPS
VPN
Firewall
IT
Internet
TPTI NAC Services / Policy Server
How We Control User / Device Access - IPS Extended to Include Network Access Control (NAC)
Uncontrolled, Unclean• Devices• Users• Flows
Uncontrolled, Unclean• Devices• Users• Flows
360o
Perimeter
Controlled, Clean• Devices• Users• Flows
Controlled, Clean• Devices• Users• Flows
Entry Points• Wired / Wireless ports• VPN• WAN Perimeter
Entry Points• Wired / Wireless ports• VPN• WAN Perimeter
Users• Unknown Guests• Trusted Vendors• Employees• IT Staff…
Users• Unknown Guests• Trusted Vendors• Employees• IT Staff…
Flow
User / Device
Fine-GrainedENFORCEMENT
Fine-GrainedCLASSIFICATION
Policy Control Center
IPS
SMS
Simple idea extended…Add user and device classification /
enforcement
Simple idea extended…Add user and device classification /
enforcement
TPTI NACPolicy
Enforcer
User / Device
TPTI NACPolicy
Enforcer
TPTI NACPolicy
Enforcer
802.1xenforce-
ment
802.1xenforce-
ment
DHCPenforce-
ment
DHCPenforce-
ment
AD, LDAP, Radius, etc.
IPS API – Expanding IPS-Secured Networks
DDoSDDoS NBADNBAD DataLeakage
DataLeakage
Classify Enforce
IPS API
Intelligent handling of packet, flow & multi-flow security analysis/enforcement
In-band enforcement of all security functions
Leverages inline IPS investment
Increases performance of OOB appliances
Eliminates in-band ‘box sprinkling’
Eliminates vendor lock-in
Optimizes
Security TCO and
Network RAS
Intelligent handling of packet, flow & multi-flow security analysis/enforcement
In-band enforcement of all security functions
Leverages inline IPS investment
Increases performance of OOB appliances
Eliminates in-band ‘box sprinkling’
Eliminates vendor lock-in
Optimizes
Security TCO and
Network RAS
VAVA SSLDecryption
SSLDecryption
3rd Party Out of BandSecurity / Control Applications
Copy or route to me, if you see
traffic that meets certain
attributes…
Perform the following
enforcement action for me…
block, alert, redirect, rate limit, quarantine, etc.
IPS
Step 3: Prevent Critical Data from Leaving the Network
IPS Policy-BasedFlow Inspection
IPS Policy-BasedFlow Inspection
Data LeakageContent Classification and Policy Evaluation:
Capture, Alert, Block
Data LeakageContent Classification and Policy Evaluation:
Capture, Alert, Block
APIAPI
APIAPIAPIAPI
Customer Need
• Prevent PCI data loss from a hacker / internal employee sending unprotected PCI data over the Internet
Customer Need
• Detect and prevent data loss resulting from “unknown” attacks on corporate network
Customer Need
• Correlate event information and content across NAC, IPS, and Data Leakage Prevention products for Compliance
Customer Need
• Prevent PCI data loss from a hacker / internal employee sending unprotected PCI data over the Internet
Customer Need
• Detect and prevent data loss resulting from “unknown” attacks on corporate network
Customer Need
• Correlate event information and content across NAC, IPS, and Data Leakage Prevention products for Compliance
IPSInternetEnterpriseNetwork
LAN
Remote
IPSIPS
IPS
SMS
Protects AgainstExternal Attacks
Protects CoreAssets
Protects AgainstInternal Attacks
IPS-Secured Network Architecture
• IPS Policy• NAC Policy• UMRR• Other Mgmt
Users,Devices,Flows,Data
CCCC
IPSIPS NACNAC APIAPI
ECEC
Data LeakageData Leakage NBADNBAD EncryptionEncryption VAVA
Security Intelligence Security Policy Management
IPS Platform
IPS-Secured Networks Address Complete Enterprise Security Solution Needs
SecurityIntelligenceSecurity
IntelligenceSecurity
Policy MgmtSecurity
Policy Mgmt
IPSPlatform
IPSPlatform
Visibility /Classification
Visibility /Classification
Policy DesignPolicy Design
User Device
FlowContent
EnforcementEnforcement
ReportingReporting
Evolving to an IPS-Secured Network
FQ108(Jun-Aug 07)
FQ108(Jun-Aug 07)
FQ208 (Sep-Nov 07)
FQ208 (Sep-Nov 07)
FQ308 (Dec-Feb 08)
FQ308 (Dec-Feb 08)
FQ408(Mar-May 08)
FQ408(Mar-May 08)
FQ109(Jun-Aug 08)
FQ109(Jun-Aug 08)
FQ209(Sep-Nov 08)
FQ209(Sep-Nov 08)
WAN, Data Ctr, DMZ, Zone,
ROBO
ThreatLinq10 Gbps
IPS @ Core
GuestNetwork
IPv6Native 10 Gbps
APIContentSecurityPartner,
Early API
Integrated NAC,Policy
Enforcement
API-EnabledNext Gen DDoS,
Encryption, NBAD
Stop Malicious Traffic
Control Network Entry
Stop Data Leakage
Integrate for TCOApplication
Control
AttackControl
AccessControl
IPS-SecuredNetwork
IPS-SecuredNetwork
360o
Access Control
IPS ThreatLinQ
NAC NAC
DataLeakage
ZorroZorro ZorroIPS+NAC+API
ZorroIPS+NAC+API
Attack Analysis,Compliance,
Visibility
NAVLinQ SecurityExpansion
Summary
• Three critical network security problems– Stop malicious / unwanted traffic– Control who / what is allowed into network– Prevent critical data from leaving the network
• Right way to address these problems– Leverage full power of in-line IPS to classify and enforce– Not only for malicious traffic – but also users, devices and content
• Customer value– Comprehensive network security & compliance– Re-use of powerful network-based IPS– Simplification of in-line network security deployments– TCO savings
• Integrated policy design for compliance audit / reporting• Free specialty appliances to scale by only seeing specified traffic• No disruption to existing network infrastructure
• Three critical network security problems– Stop malicious / unwanted traffic– Control who / what is allowed into network– Prevent critical data from leaving the network
• Right way to address these problems– Leverage full power of in-line IPS to classify and enforce– Not only for malicious traffic – but also users, devices and content
• Customer value– Comprehensive network security & compliance– Re-use of powerful network-based IPS– Simplification of in-line network security deployments– TCO savings
• Integrated policy design for compliance audit / reporting• Free specialty appliances to scale by only seeing specified traffic• No disruption to existing network infrastructure
Thank You