HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration

7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration

http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 1/23

!"#!!#!$

!

Wireless Network SecurityPalo Alto Networks / Aruba Networks Integration

Today’s Agenda

The Backdrop for Mobile Security

! Changes in the application landscape

! State of the art in mobile threats

! Issues with the current approaches to enterprise security

Aruba Networks / Palo Alto Networks Integration

!

Introduction to the Palo Alto Networks Network Security Platform

!

Integration points with Aruba Networks ClearPass Guest

Resources

2 | ©2012, Palo Alto Networks. Confidential and Proprietary.



!"#!!#!$

&

Mobile Climate and Challenges

• Page 3 | © 2013 Palo Alto Networks. Proprietary and Confidential.

'(() *+ ,+-*.+/0• 12+ 3(*4 +- *2( -(*5+.6

• 127* )(89:(4 3(* +- *2( -(*5+.6

• 127* 7;;/9:7<+-4 7-) :+-*(-*

*2+4( =4(.4 7-) )(89:(4 :7- 7::(44

>+)7?4 ,27//(-3(0

@-:( 7 =4(.A4 +- *2( -(*5+.6B C> :7-A*

:+-*.+/ 527* *2(? :7- )+ +. 7::(44D

E+4* +.37-9F7<+-4 )+ -+* 278( *2(

4(:=.9*? 59*29- *2( 9-G.74*.=:*=.( *+

:+-*.+/ 3.7-=/7. 7;;/9:7<+- /(8(/

7::(44 H74() +- =4(. 7-) )(89:( *?;(D

!"#$ &"'()*+,*""-,*+ .$"-/01*'

Challenge: Redefining the IT Service Model

Self-selecteddevices, apps

& services

Build & deploy

Designdesktop, voice,

network

User-definedinfrastructure

Self-provisionSelf-support

Support

PRE-BYOD

POST-BYOD



!"#!!#!$

$

Securing Applications

Today’s Typical Network

Applications everyonewants to hate!

Applications everyoneneeds!

ActiveDirectory

SMB

pop3

snmp

dns

Applications everyonetends to ignore!

telnet

LDAP

ftp SSL

custom tcp

custom udp

RDP

VNC

VPNencrypted

tunnel



!"#!!#!$

I

Complexity Influencers


Complexity

and Risk

SMTP

Applications Users

SQLSlammer

PoisonIVY

APT1

Aurora

Threats

SSL: Security or Evasion?

Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.8 | ©2012 Palo Alto Networks. Confidential and Proprietary.

26% (356) of the applications found can use SSL



!"#!!#!$

"

Freegate

SSL/Port 443: The Universal Firewall Bypass

9 | ©2013 Palo Alto Networks. Confidential and Proprietary.

Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

TDL-4

Poison IVY

Rustock

APT1Ramnit

Bot

Citadel

Aurora

Gozi

tcp/443

Port Hopping: Ease of Access or Evading Control?

10 | ©2012 Palo Alto Networks. Confidential and Proprietary.

18% (255) of the applications found can hop ports



!"#!!#!$

J

Managing Ports: A Bad Way to Control Applications


Lync ports to open as recommended by Microsoft

Random, non-contiguous communication ports and protocols!! accessed by distributed workforce with different security risk profiles

Threats to Wireless Networks



!"#!!#!$

K

The Basics on Threat Prevention

23-"/4 53/4 ,4 ,' 53/4 ,4 61"'

)7$#1,4 L7) 7;;/9:7<+- 9-;=*

=4=7//? 9- *2( G+.M

+G -(*5+.6 *.7N:D

>7.3(*4 7

8=/-(.7H9/9*? *+

29O7:6 :+-*.+/ +G *2(

*7.3(* 7;;/9:7<+- +.

M7:29-(D

8/#9/-" E7/9:9+=4 7;;/9:7<+-

+. :+)(D

P-?*29-3 Q

R+5-/+7)4B 27:64B

(S;/+.(4B 4*(7/4T

:1;;/*6 /*6

:1*4-1# <:=>

'(*5+.6 *.7N:

3(-(.7*() H?

M7/57.(D

U((;4 *2( .(M+*(

7V7:6(. 9- :+-*.+/

7-)4 :++.)9-7*(4 *2(

7V7:6D

Modern Attacks Are Coordinated

?/,4 43"

"*6@A'"-

1

W-)X=4(.

/=.() *+ 7)7-3(.+=4

7;;/9:7<+- +.

5(H49*(

:+-*79-9-3

M7/9:9+=4

:+-*(-*

)7$#1,4

=

C-G(:*()

:+-*(-*(S;/+9*4 *2(

(-)X=4(.B

+Y(- 59*2+=*

*2(9.

6-+5/()3(

&19*#1/6

?/B(611-

C

Z(:+-)7.?

;7?/+7) 94)+5-/+7)()

9- *2(

H7:63.+=-)D

E7/57.(

9-4*7//()

)'4/D#,'3

?/B(@:3/**"#

E

E7/57.(

(4*7H/942(4 7-+=*H+=-)

:+--(:<+- *+

*2( 7V7:6(.

G+. +-3+9-3

:+-*.+/

)7$#1-"

F G4"/#

H

[(M+*(

7V7:6(. 274:+-*.+/ 9-49)(

*2( -(*5+.6

7-) (4:7/7*(4

*2( 7V7:6




!"#!!#!$

\

Mobile Malware: DPlug TTPod App in Google Play

In-App Purchase

PV7:6(.

Dplug Malware

R]/=3

Sends IMSI / IMEI via SMS

] . ( M 9 = M Z

E Z

Forged

SubscribeConfirm?

I,B0;

Accept

Premium SMS Billing


SecondaryPayload

SpreadLaterally

Custom C2& Hacking

Data Stolen

Exploit Kit Malware FromNew Domain

ZeroAccessDelivered

C2Established

Hiddenwithin SSL

New domainhas no

reputation

Payloaddesigned to

avoid AV

Non-standardport use evades

detection

Custommalware = no

AV signature

Internal traffic isnot monitored

Custom protocolavoids C2

signatures

RDP & FTPallowed on the

network



!"#!!#!$

^

Palo Alto Networks

Network Security Platform

Enabling Applications, Users and Content




!"#!!#!$

!_

Applications Have Changed, Firewalls Haven’t


Network security policy is enforcedat the firewall

• Sees all traffic

•

Defines boundary

• Enables access

Traditional firewalls don’t work anymore

Applications: Threat Vector and a Target


Threats target applications•

Used as a delivery mechanism

• Application specific exploits



!"#!!#!$

!!

Applications: Payload Delivery/Command & Control

Applications provide exfiltration•

Confidential data

• Threat communication


Encrypted Applications: Unseen by Firewalls

What happens traffic is encrypted?•

SSL

• Proprietary encryption




!"#!!#!$

!&

Technology Sprawl and Creep Aren’t the Answer

EnterpriseNetwork

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

• Doesn’t address application control challenges


IMDLPIPS ProxyURL AV

J28

K*4"-*"4

Making the Firewall a Business Enablement Tool

! Applications: Safe enablement begins with

application classification by App-ID.

! Users: Tying users and devices, regardless of

location, to applications with User-ID and

GlobalProtect.

! Content: Scanning content and protecting

against all threats – both known and unknown;

with Content-ID and WildFire.




!"#!!#!$

!$

NGFW in The Enterprise Network

] ( . 9 M ( * ( . `

L$$ M,',D,#,4N /*6B1*4-1# ,* 43"O-"9/##

` P// 7;;4B 7//

;+.*4B 7// *2(<M(

`

P-"M"*4 43-"/4'

` U-+5- *2.(7*4

`

a-6-+5-#*7.3(*()M7/57.(

`

G,;$#,QN '"BA-,4N,*Q-/'4-AB4A-"

R 7 * 7 , ( - * ( . `

R"491-('"+;"*4/01*

` L74() +-7;;/9:7<+- 7-)=4(.B -+* ;+.*#C]

` G,;$#"S T"7,D#"*"491-( '"BA-,4N

` C-*(3.7<+- 9-*+7// R, )(493-4

` b932/? 7879/7H/(B2932;(.G+.M7-:(

` P-"M"*4 43-"/4'

R 9 4 * . 9 H = *

( ) W - * ( . ; . 9 4 ( `

:1*','4"*4*"491-( '"BA-,4N"M"-N93"-"

` bc#H.7-:2

+N:(4#.(M+*(7-) M+H9/(=4(.4

` U1+,B/# $"-,;"4"-

` ]+/9:? G+//+547;;/9:7<+-4 7-)=4(.4B -+*;2?49:7/ /+:7<+-

`

:"*4-/##N

;/*/+"6


Strategy for Protecting the Network


Everything must go in the funnel

Reduce the attack surface

Block everything you can

Test and adapt to unknowns

Investigate and cleanup

• HTTP or all

protocols?

• 20% of traffic

encrypted by

SSL

• Non-standardports and

tunneled traffic



!"#!!#!$

!I








• High risk

applications

and features

• Block files

from unknowndomains

•

Find and

control custom

traffic








• Exploits,

malware, C2

• Variants and

polymorphism

• DNS, URLs,

maliciousclusters



!"#!!#!$

!"








• Behavioral and

anomaly

analysis

• Automatically

create anddeliver

protections

• Share globally








• Events in app

and user

context

• Share

indicators ofcompromise

• Integrate with

end-point

security

• Feed the SIEM



!"#!!#!$

!J

An Integrated Approach to Threat Prevention


P;;4

a[d

C]Z

Z;?57.(

Pe

f9/(4

E+)(.-

E7/57.(

!"#$ $&' '()*+,'- ./012#$ 324(12") !"56)22- 7288"()972($-21 :7;<

Block high-riskapps

Block knownmalware sites

Block theexploit

Block malware

Prevent drive-by-downloads

Detect 0-daymalware

Block new C2traffic

Block spyware,C2 traffic

Block fast-flux,bad domains

Block C2 onopen ports

Mobile App Analysis


WildFire

App Collection

App Stores

ManualSubmission

API

GlobalProtectGateway

Protection andEnforcement

MalwareSignatures

URL and DNS

usage

Integration withSIEM

App Analysis



!"#!!#!$

!K

Integration Points

Integration with wireless infrastructure

C)(-<G? 7-)7=*2(-<:7*( 52+

7-) 527* 3(*4 +- *2(

-(*5+.6

].+*(:* -(*5+.6H74() +-

7;;/9:7<+-B =4(. 7-)

:+-*(-*



!"#!!#!$

!\

ClearPass and Palo Alto Networks

81D,#,4N R"491-(

G"-M,B"'

•

,+.( PPPB 'P,

•

R(89:( ].+g/9-3

•

h=(4* i Lj@R

L-AD/ 8.I) F

:#"/-P/''

P/#1 L#41 R"491-('

R"74 V"*"-/01* W,-"9/##

•

dKi P;;/9:7<+- f1

•

,+-*(-* Z(:=.9*?

•

>2.(7* ].+*(:<+-

,+-*(S*0

•

WS:27-3( .9:2

(-);+9-* :+-*(S*

•

>.933(. .(7/X<M(B

9-*(//93(-*-(*5+.6 ;+/9:9(4

•

WS*(-)7H/(

7.:29*(:*=.(

Securing the Wireless with Palo Alto Networks


Guests

Employee Asset

Contractor

R"74@V"*"-/01*

W,-"9/##



!"#!!#!$

!^

Aruba Integration

! Feed User-ID Data

! Centralized Username to IP address mapping

! No software agents required, support multiple identity stores

!

Rich visibility and reporting for compliance

! Endpoint/Device Context

!

Feed device context to PAN eg. iPad, Android Phone

! Enable policy enforcement based on new device context

!

Extensible schema allows adding more context to endpoint data

!

Centralized Identity Store!

FW admin authentication using Radius

! Provide services for VPN authentication

,/(7.]744 ]+/9:? E7-73(. ]7/+ P/*+ '(*5+.64

kEd

PPP

User-ID Architecture



!"#!!#!$

&_

Integration Points


ClearPass Configuration



!"#!!#!$

&!

Assigning Security Policies Based on Device Type

! ClearPass Guest Fingerprints devices as theyauthenticate to the wireless environment

! Palo Alto Networks integration shares the devicefingerprint

! Palo Alto Networks maps the device to a dynamic

address object

!

Network security policy follows the device


How the Integration Works – From ClearPass




!"#!!#!$

&&

How the Integration Works – To Palo Alto Networks


To Palo AltoNetworks

Resources



!"#!!#!$

&$

Collateral – Tech Note


2V;0##555D7.=H7-(*5+.64D:+M#7.=H7X;7.*-(.4#(:+4?4*(MX;7.*-(.4#

HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration

Documents

Transcript of HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration