Wireless Network Security Palo Alto Networks / Aruba Networks Integration

15/11/13

1

Wireless Network Security Palo Alto Networks / Aruba Networks Integration

Today’s Agenda

The Backdrop for Mobile Security

§  Changes in the application landscape

§  State of the art in mobile threats

§  Issues with the current approaches to enterprise security

Aruba Networks / Palo Alto Networks Integration

§  Introduction to the Palo Alto Networks Network Security Platform

§  Integration points with Aruba Networks ClearPass Guest

Resources

2 | ©2012, Palo Alto Networks. Confidential and Proprietary.

15/11/13

2

Mobile Climate and Challenges

• Page 3 | © 2013 Palo Alto Networks. Proprietary and Confidential.

Need to Control: •  Who gets on the network •  What devices get on the network •  What applica<ons and content

those users and devices can access

Todays Challenge: Once a user’s on the network, IT can’t control what they can do or access. Most organiza<ons do not have the security within the infrastructure to control granular applica<on level access based on user and device type.

Help Desk Engineering Opera0ons

Challenge: Redefining the IT Service Model

Self-selected devices, apps

& services

Build & deploy Design

desktop, voice, network

User-defined infrastructure

Self-provision Self-support

Support

PRE-BYOD

POST-BYOD

15/11/13

3

Securing Applications

Today’s Typical Network Applications everyone

wants to hate… Applications everyone

needs…

Active Directory

SMB

pop3

snmp

dns

Applications everyone tends to ignore…

telnet

LDAP

ftp SSL

custom tcp

custom udp

RDP

VNC

VPN encrypted

tunnel

15/11/13

4

Complexity Influencers


Complexity and Risk

SMTP

Applications Users

SQL Slammer

Poison IVY

APT1

Aurora

Threats

SSL: Security or Evasion?

Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013. 8 | ©2012 Palo Alto Networks. Confidential and Proprietary.

26% (356) of the applications found can use SSL

15/11/13

5

Freegate

SSL/Port 443: The Universal Firewall Bypass

9 | ©2013 Palo Alto Networks. Confidential and Proprietary.

Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?

TDL-4

Poison IVY

Rustock

APT1 Ramnit

Bot

Citadel

Aurora

Gozi

tcp/443

Port Hopping: Ease of Access or Evading Control?

10 | ©2012 Palo Alto Networks. Confidential and Proprietary.

18% (255) of the applications found can hop ports

15/11/13

6

Managing Ports: A Bad Way to Control Applications


Lync ports to open as recommended by Microsoft

Random, non-contiguous communication ports and protocols …… accessed by distributed workforce with different security risk profiles

Threats to Wireless Networks

15/11/13

7

The Basics on Threat Prevention

Threat What it is What it does

Exploit Bad applica<on input usually in the form of network traffic.

Targets a vulnerability to hijack control of the target applica<on or machine.

Malware Malicious applica<on or code.

Anything – Downloads, hacks, explores, steals…

Command and Control (C2)

Network traffic generated by malware.

Keeps the remote aVacker in control ands coordinates the aVack.

Modern Attacks Are Coordinated

Bait the end-‐user

1

End-‐user lured to a dangerous applica<on or website containing malicious content

Exploit

2

Infected content exploits the end-‐user, oYen without their knowledge

Download Backdoor

3

Secondary payload is downloaded in the background. Malware installed

Establish Back-‐Channel

4

Malware establishes an outbound connec<on to the aVacker for ongoing control

Explore & Steal

5

Remote aVacker has control inside the network and escalates the aVack


15/11/13

8

Mobile Malware: DPlug TTPod App in Google Play

In-App Purchase

AVacker

Dplug Malware

DPlug

Sends IMSI / IMEI via SMS

Prem

ium SMS

Forged Subscribe Confirm?

Vic0m

Accept

Premium SMS Billing


Secondary Payload

Spread Laterally

Custom C2 & Hacking

Data Stolen

Exploit Kit Malware From New Domain

ZeroAccess Delivered

C2 Established

Hidden within SSL

New domain has no

reputation

Payload designed to

avoid AV

Non-standard port use evades

detection

Custom malware = no AV signature

Internal traffic is not monitored

Custom protocol avoids C2 signatures

RDP & FTP allowed on the

network

15/11/13

9

Palo Alto Networks Network Security Platform

Enabling Applications, Users and Content


15/11/13

10

Applications Have Changed, Firewalls Haven’t


Network security policy is enforced at the firewall •  Sees all traffic •  Defines boundary •  Enables access Traditional firewalls don’t work any more

Applications: Threat Vector and a Target


Threats target applications •  Used as a delivery mechanism •  Application specific exploits

15/11/13

11

Applications: Payload Delivery/Command & Control

Applications provide exfiltration •  Confidential data •  Threat communication


Encrypted Applications: Unseen by Firewalls

What happens traffic is encrypted? •  SSL •  Proprietary encryption


15/11/13

12

Technology Sprawl and Creep Aren’t the Answer

Enterprise Network

•  “More stuff” doesn’t solve the problem •  Firewall “helpers” have limited view of traffic •  Complex and costly to buy and maintain •  Doesn’t address application control challenges


IM DLP IPS Proxy URL AV

UTM

Internet

Making the Firewall a Business Enablement Tool

§  Applications: Safe enablement begins with application classification by App-ID.

§  Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.

§  Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID and WildFire.


15/11/13

13

NGFW in The Enterprise Network Pe

rimeter

•  App visibility and control in the firewall •  All apps, all ports, all the <me

•  Prevent threats •  Known threats •  Unknown/targeted malware

•  Simplify security infrastructure

Data Cen

ter •  Network

segmenta0on •  Based on applica<on and user, not port/IP

•  Simple, flexible network security •  Integra<on into all DC designs

•  Highly available, high performance

•  Prevent threats

Distrib

uted

Enterprise

•  Consistent network security everywhere •  HQ/branch offices/remote and mobile users

•  Logical perimeter •  Policy follows applica<ons and users, not physical loca<on

•  Centrally managed


Strategy for Protecting the Network


Everything must go in the funnel

Reduce the attack surface

Block everything you can

Test and adapt to unknowns

Investigate and cleanup

•  HTTP or all protocols?

•  20% of traffic encrypted by SSL"

•  Non-standard ports and tunneled traffic

15/11/13

14








•  High risk applications and features"

•  Block files from unknown domains"

•  Find and control custom traffic








•  Exploits, malware, C2

•  Variants and polymorphism

•  DNS, URLs, malicious clusters

15/11/13

15








•  Behavioral and anomaly analysis"

•  Automatically create and deliver protections"

•  Share globally








•  Events in app and user context"

•  Share indicators of compromise"

•  Integrate with end-point security"

•  Feed the SIEM

15/11/13

16

An Integrated Approach to Threat Prevention


Apps

URL

IPS

Spyware

AV

Files

Modern Malware

Bait the end-‐user Exploit Download Backdoor Command/Control (C2)

Block high-risk apps

Block known malware sites

Block the exploit

Block malware

Prevent drive-by-downloads

Detect 0-day malware

Block new C2 traffic

Block spyware, C2 traffic

Block fast-flux, bad domains

Block C2 on open ports

Mobile App Analysis


WildFire

App Collection

App Stores

Manual Submission

API

GlobalProtect Gateway

Protection and Enforcement

Malware Signatures

URL and DNS usage

Integration with SIEM

App Analysis

15/11/13

17

Integration Points

Integration with wireless infrastructure

Iden<fy and authen<cate who

and what gets on the network

Protect network based on

applica<on, user and content

15/11/13

18

ClearPass and Palo Alto Networks

Mobility Network Services

•  Core AAA, NAC •  Device Profiling •  Guest + BYOD

Aruba MOVE & ClearPass

Palo Alto Networks

Next Genera0on Firewall

•  L7+ Applica<on FW •  Content Security •  Threat Protec<on

Context: •  Exchange rich endpoint context

•  Trigger real-‐<me, intelligent network policies

•  Extendable architecture

Securing the Wireless with Palo Alto Networks


Guests

Employee Asset

Contractor

Next-‐Genera0on Firewall

15/11/13

19

Aruba Integration

§  Feed User-ID Data §  Centralized Username to IP address mapping §  No software agents required, support multiple identity stores §  Rich visibility and reporting for compliance

§  Endpoint/Device Context §  Feed device context to PAN eg. iPad, Android Phone §  Enable policy enforcement based on new device context §  Extensible schema allows adding more context to endpoint data

§  Centralized Identity Store §  FW admin authentication using Radius §  Provide services for VPN authentication

ClearPass Policy Manager Palo Alto Networks

XML

AAA

User-ID Architecture

15/11/13

20

Integration Points


ClearPass Configuration

15/11/13

21

Assigning Security Policies Based on Device Type §  ClearPass Guest Fingerprints devices as they

authenticate to the wireless environment

§  Palo Alto Networks integration shares the device fingerprint

§  Palo Alto Networks maps the device to a dynamic address object

§  Network security policy follows the device


How the Integration Works – From ClearPass


15/11/13

22

How the Integration Works – To Palo Alto Networks


To Palo Alto Networks

Resources

15/11/13

23

Collateral – Tech Note


hVp://www.arubanetworks.com/aruba-‐partners/ecosystem-‐partners/

Wireless Network Security Palo Alto Networks / Aruba Networks Integration

Technology

Transcript of Wireless Network Security Palo Alto Networks / Aruba Networks Integration