Wireless Network Security Palo Alto Networks / Aruba Networks Integration
-
Upload
aruba-networks-an-hp-company -
Category
Technology
-
view
2.573 -
download
8
Transcript of Wireless Network Security Palo Alto Networks / Aruba Networks Integration
15/11/13
1
Wireless Network Security Palo Alto Networks / Aruba Networks Integration
Today’s Agenda
The Backdrop for Mobile Security
§ Changes in the application landscape
§ State of the art in mobile threats
§ Issues with the current approaches to enterprise security
Aruba Networks / Palo Alto Networks Integration
§ Introduction to the Palo Alto Networks Network Security Platform
§ Integration points with Aruba Networks ClearPass Guest
Resources
2 | ©2012, Palo Alto Networks. Confidential and Proprietary.
15/11/13
2
Mobile Climate and Challenges
• Page 3 | © 2013 Palo Alto Networks. Proprietary and Confidential.
Need to Control: • Who gets on the network • What devices get on the network • What applica<ons and content
those users and devices can access
Todays Challenge: Once a user’s on the network, IT can’t control what they can do or access. Most organiza<ons do not have the security within the infrastructure to control granular applica<on level access based on user and device type.
Help Desk Engineering Opera0ons
Challenge: Redefining the IT Service Model
Self-selected devices, apps
& services
Build & deploy Design
desktop, voice, network
User-defined infrastructure
Self-provision Self-support
Support
PRE-BYOD
POST-BYOD
15/11/13
3
Securing Applications
Today’s Typical Network Applications everyone
wants to hate… Applications everyone
needs…
Active Directory
SMB
pop3
snmp
dns
Applications everyone tends to ignore…
telnet
LDAP
ftp SSL
custom tcp
custom udp
RDP
VNC
VPN encrypted
tunnel
15/11/13
4
Complexity Influencers
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Complexity and Risk
SMTP
Applications Users
SQL Slammer
Poison IVY
APT1
Aurora
Threats
SSL: Security or Evasion?
Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013. 8 | ©2012 Palo Alto Networks. Confidential and Proprietary.
26% (356) of the applications found can use SSL
15/11/13
5
Freegate
SSL/Port 443: The Universal Firewall Bypass
9 | ©2013 Palo Alto Networks. Confidential and Proprietary.
Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?
TDL-4
Poison IVY
Rustock
APT1 Ramnit
Bot
Citadel
Aurora
Gozi
tcp/443
Port Hopping: Ease of Access or Evading Control?
10 | ©2012 Palo Alto Networks. Confidential and Proprietary.
18% (255) of the applications found can hop ports
15/11/13
6
Managing Ports: A Bad Way to Control Applications
11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Lync ports to open as recommended by Microsoft
Random, non-contiguous communication ports and protocols …… accessed by distributed workforce with different security risk profiles
Threats to Wireless Networks
15/11/13
7
The Basics on Threat Prevention
Threat What it is What it does
Exploit Bad applica<on input usually in the form of network traffic.
Targets a vulnerability to hijack control of the target applica<on or machine.
Malware Malicious applica<on or code.
Anything – Downloads, hacks, explores, steals…
Command and Control (C2)
Network traffic generated by malware.
Keeps the remote aVacker in control ands coordinates the aVack.
Modern Attacks Are Coordinated
Bait the end-‐user
1
End-‐user lured to a dangerous applica<on or website containing malicious content
Exploit
2
Infected content exploits the end-‐user, oYen without their knowledge
Download Backdoor
3
Secondary payload is downloaded in the background. Malware installed
Establish Back-‐Channel
4
Malware establishes an outbound connec<on to the aVacker for ongoing control
Explore & Steal
5
Remote aVacker has control inside the network and escalates the aVack
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
15/11/13
8
Mobile Malware: DPlug TTPod App in Google Play
In-App Purchase
AVacker
Dplug Malware
DPlug
Sends IMSI / IMEI via SMS
Prem
ium SMS
Forged Subscribe Confirm?
Vic0m
Accept
Premium SMS Billing
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Secondary Payload
Spread Laterally
Custom C2 & Hacking
Data Stolen
Exploit Kit Malware From New Domain
ZeroAccess Delivered
C2 Established
Hidden within SSL
New domain has no
reputation
Payload designed to
avoid AV
Non-standard port use evades
detection
Custom malware = no AV signature
Internal traffic is not monitored
Custom protocol avoids C2 signatures
RDP & FTP allowed on the
network
15/11/13
9
Palo Alto Networks Network Security Platform
Enabling Applications, Users and Content
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
15/11/13
10
Applications Have Changed, Firewalls Haven’t
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Network security policy is enforced at the firewall • Sees all traffic • Defines boundary • Enables access Traditional firewalls don’t work any more
Applications: Threat Vector and a Target
20 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Threats target applications • Used as a delivery mechanism • Application specific exploits
15/11/13
11
Applications: Payload Delivery/Command & Control
Applications provide exfiltration • Confidential data • Threat communication
21 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Encrypted Applications: Unseen by Firewalls
What happens traffic is encrypted? • SSL • Proprietary encryption
22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
15/11/13
12
Technology Sprawl and Creep Aren’t the Answer
Enterprise Network
• “More stuff” doesn’t solve the problem • Firewall “helpers” have limited view of traffic • Complex and costly to buy and maintain • Doesn’t address application control challenges
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
IM DLP IPS Proxy URL AV
UTM
Internet
Making the Firewall a Business Enablement Tool
§ Applications: Safe enablement begins with application classification by App-ID.
§ Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.
§ Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID and WildFire.
24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
15/11/13
13
NGFW in The Enterprise Network Pe
rimeter
• App visibility and control in the firewall • All apps, all ports, all the <me
• Prevent threats • Known threats • Unknown/targeted malware
• Simplify security infrastructure
Data Cen
ter • Network
segmenta0on • Based on applica<on and user, not port/IP
• Simple, flexible network security • Integra<on into all DC designs
• Highly available, high performance
• Prevent threats
Distrib
uted
Enterprise
• Consistent network security everywhere • HQ/branch offices/remote and mobile users
• Logical perimeter • Policy follows applica<ons and users, not physical loca<on
• Centrally managed
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Strategy for Protecting the Network
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• HTTP or all protocols?
• 20% of traffic encrypted by SSL"
• Non-standard ports and tunneled traffic
15/11/13
14
Strategy for Protecting the Network
27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• High risk applications and features"
• Block files from unknown domains"
• Find and control custom traffic
Strategy for Protecting the Network
28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• Exploits, malware, C2
• Variants and polymorphism
• DNS, URLs, malicious clusters
15/11/13
15
Strategy for Protecting the Network
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• Behavioral and anomaly analysis"
• Automatically create and deliver protections"
• Share globally
Strategy for Protecting the Network
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• Events in app and user context"
• Share indicators of compromise"
• Integrate with end-point security"
• Feed the SIEM
15/11/13
16
An Integrated Approach to Threat Prevention
31 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Apps
URL
IPS
Spyware
AV
Files
Modern Malware
Bait the end-‐user Exploit Download Backdoor Command/Control (C2)
Block high-risk apps
Block known malware sites
Block the exploit
Block malware
Prevent drive-by-downloads
Detect 0-day malware
Block new C2 traffic
Block spyware, C2 traffic
Block fast-flux, bad domains
Block C2 on open ports
Mobile App Analysis
32 | ©2013, Palo Alto Networks. Confidential and Proprietary.
WildFire
App Collection
App Stores
Manual Submission
API
GlobalProtect Gateway
Protection and Enforcement
Malware Signatures
URL and DNS usage
Integration with SIEM
App Analysis
15/11/13
17
Integration Points
Integration with wireless infrastructure
Iden<fy and authen<cate who
and what gets on the network
Protect network based on
applica<on, user and content
15/11/13
18
ClearPass and Palo Alto Networks
Mobility Network Services
• Core AAA, NAC • Device Profiling • Guest + BYOD
Aruba MOVE & ClearPass
Palo Alto Networks
Next Genera0on Firewall
• L7+ Applica<on FW • Content Security • Threat Protec<on
Context: • Exchange rich endpoint context
• Trigger real-‐<me, intelligent network policies
• Extendable architecture
Securing the Wireless with Palo Alto Networks
36 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Guests
Employee Asset
Contractor
Next-‐Genera0on Firewall
15/11/13
19
Aruba Integration
§ Feed User-ID Data § Centralized Username to IP address mapping § No software agents required, support multiple identity stores § Rich visibility and reporting for compliance
§ Endpoint/Device Context § Feed device context to PAN eg. iPad, Android Phone § Enable policy enforcement based on new device context § Extensible schema allows adding more context to endpoint data
§ Centralized Identity Store § FW admin authentication using Radius § Provide services for VPN authentication
ClearPass Policy Manager Palo Alto Networks
XML
AAA
User-ID Architecture
15/11/13
20
Integration Points
39 | ©2012, Palo Alto Networks. Confidential and Proprietary.
ClearPass Configuration
15/11/13
21
Assigning Security Policies Based on Device Type § ClearPass Guest Fingerprints devices as they
authenticate to the wireless environment
§ Palo Alto Networks integration shares the device fingerprint
§ Palo Alto Networks maps the device to a dynamic address object
§ Network security policy follows the device
41 | ©2013, Palo Alto Networks. Confidential and Proprietary.
How the Integration Works – From ClearPass
42 | ©2012, Palo Alto Networks. Confidential and Proprietary.
15/11/13
22
How the Integration Works – To Palo Alto Networks
43 | ©2012, Palo Alto Networks. Confidential and Proprietary.
To Palo Alto Networks
Resources
15/11/13
23
Collateral – Tech Note
45 | ©2012, Palo Alto Networks. Confidential and Proprietary.
hVp://www.arubanetworks.com/aruba-‐partners/ecosystem-‐partners/