Transcript Moving Beyond Proxies presentation

Moving Beyond Proxies
A New Approach to Cyber Security
1 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Web security is crucial but only goes so far
Generation Security Platform
URL
Filter
Web Security
Next
Port Hopping Applications and Evasive Techniques
Advanced Web Based Threats (APTs)
Mobile and Blended
Web Threats
Dynamic Malicious
Content
Malicious
Websites
Undesired
Websites
1990s
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
2000s
Today
The Proxy Approach to Security
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
What proxy vendors would like you to believe:
Web Proxy
4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
And then reality sets in:
SQL
Server
Log Management
Server
Server
Web Proxy
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
• Add Mgmt. Capabilities
And then reality sets in:
SQL
Server
Log Management
Server
Server
Web Proxy
SIEM
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
• Add Mgmt. Capabilities
• Add SIEM Integration
And then reality sets in:
SQL
Server
• Add Mgmt. Capabilities
• Add SIEM Integration
• Adding Policy Server
Log Management
Server
Server
Web Proxy
SIEM
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Policy Server
And then reality sets in:
SQL
Server
•
•
•
•
Add Mgmt. Capabilities
Add SIEM Integration
Adding Policy Server
Adding High Availability
Log Management
Server
Server
HA
SIEM
Policy Server
Web Proxy
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
•
•
•
•
•
And then reality sets in:
SQL
Server
Add Mgmt. Capabilities
Add SIEM Integration
Adding Policy Server
Adding High Availability
Adding Load Balancing
Log Management
Server
Server
LB
HA
SIEM
Policy Server
Web Proxy
9 | ©2014, Palo Alto Networks. Confidential and Proprietary.
•
•
•
•
Transparent •
Identification •
And then reality sets in:
SQL
Server
Log Management
Server
Server
Add Mgmt. Capabilities
Add SIEM Integration
Adding Policy Server
Adding High Availability
Adding Load Balancing
Adding TIA
Agent
LB
HA
SIEM
Policy Server
Web Proxy
10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
And because you are still only looking at HTTP and HTTPS:
SQL
Server
Transparent
Identification
Agent
Log Management
Server
Server
LB
Firewall
HA
SIEM
Policy Server
Web Proxy
Complicated. Hard to Manage. Limited Security.
11 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Why the proxy approach is failing
Limited visibility
Scanning determined by URL category, not content
Poor performance
Growing application bypass lists
Slow adoption of new security functionality
Interruptive Technology
Administrative and Financial Nightmare
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Why the proxy approach is failing
Limited visibility
Scanning determined by URL category, not content
Poor performance
Growing application bypass lists
Slow adoption of new security functionality
Interruptive Technology
Administrative and Financial Nightmare
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Proxies lead to tunnel vision
• Focusing on HTTP
and HTTPS traffic
leaves large
vulnerabilities
???
???
• There are more than
65,000 ports
• How to address Port
Hopping or other
evasion techniques?
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.
???
???
HTTP – Port 80
HTTPS – Port 443
???
???
Why the proxy approach is failing
Limited visibility
Scanning determined by URL category, not content
Poor performance
Growing application bypass lists
Slow adoption of new security functionality
Interruptive Technology
Administrative and Financial Nightmare
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
A negative enforcement model
• Proxies use URL categories as the primary determination of what to allow.
• URLs meeting the policy requirements often don’t get further evaluation.
• Selective Content Analysis misses many threats.
Restrictive Work
Environment
Web Request
Bad URL
✗
Good URL
✔
What about
compromised
legitimate
Domains?
Policy
Bad Content
✗
Good Content
✔
Selective
Content
Analysis
“Selective” Means
“We miss a lot”
16 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Why the proxy approach is failing
Limited visibility
Scanning determined by URL category, not content
Poor performance
Growing application bypass lists
Slow adoption of new security functionality
Interruptive Technology
Administrative and Financial Nightmare
17 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Introducing… a road block
B
A
18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Why the proxy approach is failing
Limited visibility
Scanning determined by URL category, not content
Poor performance
Growing application bypass lists
Slow adoption of new security functionality
Interruptive Technology
Administrative and Financial Nightmare
19 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Application bypass lists - a security paradox:
B
A
20 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Why the proxy approach is failing
Limited visibility
Scanning determined by URL category, not content
Poor performance
Growing application bypass lists
Slow adoption of new security functionality
Interruptive Technology
Administrative and Financial Nightmare
21 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Fixing one problem at a time…
• Reactive security
approach
• Bolt-on security
• Multiple security
solutions & multiple user
interfaces
• Not fully integrated
22 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Why the proxy approach is failing
Limited visibility
Scanning determined by URL category, not content
Poor performance
Growing application bypass lists
Slow adoption of new security functionality
Interruptive Technology
Administrative and Financial Nightmare
23 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Proxies interrupt business flow
• Proxies sit in-line at Egress
Points
• Interrupt information flow
during...
• Install
• Upgrade
• Maintenance
24 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Why the proxy approach is failing
Limited visibility
Scanning determined by URL category, not content
Poor performance
Growing application bypass lists
Slow adoption of new security functionality
Interruptive Technology
Administrative and Financial Nightmare
25 | ©2014, Palo Alto Networks. Confidential and Proprietary.
How much hardware to you want or need?
SQL
Server
Transparent
Identification
Agent
Log Management
Server
Server
LB
Firewall
HA
SIEM
Policy Server
Web Proxy
Complicated. Hard to Manage. Limited Security
26 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Need for a New Approach to
Security
27 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Application control - more than web security
Top 20 Doc/App Malware Combos Q1/2014
Document
Application
Executable
SMTP
Executable
web-browsing
Executable
Pop3
397,224
Executable
IMAP
349,003
DLL
web-browsing
104,671
Executable
ftp
43,949
DLL
IMAP
43,416
Excel 97 - 2003
web-browsing
41,826
PDF
web-browsing
17,228
Executable
aim-mail
16,958
Executable
http-proxy
16,092
DLL
pop3
12,209
PPT 97 - 2003
web-browsing
7,770
Executable
soap
3,125
DLL
ftp
2,436
DLL
SMTP
2,092
Microsoft Word
web-browsing
# of Threats
33,016,389
1,681,110
• The most common attack vectors
(95%) are messaging or file transfer
applications (SMTP, POP3, IMAP,
FTP, etc) (
)
• Web Browsing is only a fraction (5%)
of all applications containing malware.
(
)
1,733
DLL
http-proxy
1,046
Executable
mediafire
1,018
Executable
afreeca
28 | ©2014, Palo Alto Networks. Confidential and Proprietary.
• The vast majority of malware (99%) is
contained in executable or dynamic
link libraries. (
)
958
Source: Unit 42 Research 2014
(Data collected 12/15/13 to 03/15/14)
Applications speed your business
• Increase productivity
• Reduce cost (IT, communication, etc.)
• Enhance communication with customers and partners or internal
29 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Applications also carry risks
• Bring threats such as exploit, malware, and C&C traffic
• Leak sensitive data by unauthorized access and malware
• Unknown and encrypted traffic hide malicious activities
30 | ©2014, Palo Alto Networks.
Key requirements for web security
• Safely enable applications using positive enforcement security rules
• Protect allowed applications from known threats
• Prevent unknown malware, exploits and zero-days
• Flexible policy, reporting and management
• Do all this WITHOUT major network slow down
Cloud
At the mobile
device
31 | ©2014, Palo Alto Networks. Confidential and Proprietary.
At the internet
edge
Between
employees and
devices within
the LAN
Within private,
public and
hybrid clouds
Next Generation Security Platform
32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Enabling applications, users and content
33 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Efficient Threat Prevention
SINGLE PASS ARCHITECTURE
Application
User
Content
App ID
•
•
•
Application
classification
All applications
Regardless of port
User ID
•
•
Tie User with
Application
Regardless of
Location - Global
Protect
Threat
Prevention
•
•
•
•
34 | ©2014, Palo Alto Networks. Confidential and Proprietary.
AntiVirus
IPS
URL
Filtering
WildFire
Granular web access policies with fast lookups
URL FILTERING
WildFire
URL Change
Requests
• Regional seed database
Multi
Language
PAN-DB
• Fast URL lookup in Data
and Management Plane
• Updates from Wildfire
URL Req.
Policies
• Categorize unknown URLs
• Prevent malware download
• Prevent C&C attempts
Management Plane
Data Plane
35 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Allow
Block
Apply QoS
Decrypt SSL
Monitor
Web-based security policy
Block file transfer from unknown sites
Security Policy Name
URL Category
Block download from Unknown
unknown
Security Profile
Block all file transfer
Decrypt SSL for specified URL categories
Decryption Policy Name
URL Category
Action
Decrypt webmail
web-based-email
Decrypt
No decryption online banking
financial-services
No decrypt
QoS based on URL categories
QoS Policy Name
URL Category
Limit streaming during biz hours
streaming-media 8
36 | ©2014, Palo Alto Networks. Confidential and Proprietary.
QoS Class
Schedule
Biz hours
Apply policies based on User-ID
URL Policy
Rule for MKT
Rule for General
Rule for R&D
facebook.com
facebook.com
Block List
Allow List
Allow Categories
Social-networking
Alert Categories
Block Categories
abused-drugs
gambling
more…
abused-drugs
gambling
more…
abused-drugs
gambling
more…
Continue Categories
unknown
unknown
unknown
Social-networking
Override Categories
Marketing
37 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Social-networking
General
R&D
User-ID: Directory integration
User-ID works with various authentication and directory services to
identify users/group, not only IP
38 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Protecting against the unknown - WildFire
SANDBOXING THE UNKNOWN
Email
SMTP
All ports
SSL encryption
All traffic
FTP
Endpoint
Data center
WildFire
Web
Intelligence correlated across:
SMB
Perimeter
WildFire
All commonly
exploited file types
Detect unknown
3rd
party data
Protections developed with
in-line enforcement across
the kill-chain





Malware
Exploits
Command-and-control
DNS queries
Malware URLs
Threat
Prevention
URL
Filtering
Comprehensive threat prevention
THE UNKNOWN
MANUAL RESPONSE
Automatically identified
Automatically prevented
192,000
WildFire
anti-malware
protections per
day
15
minutes
THREAT
INTELLIGENCE
CLOUD
24,000
URL
protections per
day
12,000
DNS
protections per
day
Protections
delivered
automatically in
Threat
Prevention
URL
Filtering
Forensics
& Reporting
Rich forensics
and reporting
for quick,
detailed
investigation
Management and reporting
• Comprehensive view of your entire enterprise
• Contextual traffic analysis – application, user, content, threat, device
41 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Flexible deployment options
Tap Mode
Transparent In-Line
Firewall Replacement
 Flexible deployment options that fit every organization’s business needs
 Gain visibility and control without re-architecting your network or
reconfiguring endpoints
42 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Summary - Why the proxy approach is failing
Limited visibility
Scanning determined by URL category, not content
Poor performance
Growing application bypass lists
Slow adoption of new security functionality
Interruptive Technology
Administrative and Financial Nightmare
43 | ©2014, Palo Alto Networks. Confidential and Proprietary.
For additional information
To learn more about Palo Alto Networks’
web security solution, download the white
paper:
Moving Beyond Proxies – A new
Approach to Cyber Security
http://go.paloaltonetworks.com/proxies
44 | ©2014, Palo Alto Networks. Confidential and Proprietary.
To experience the difference with Palo Alto
Networks, schedule an appointment to conduct:
The Ultimate Test Drive
Contact your Palo Alto Networks sales
representative.
45 | ©2013, Palo Alto Networks. Confidential and Proprietary.