Post on 06-Jul-2020
1 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Preventing Lateral Movement in VirtualizationRETHINKING SECURITY ARCHITECTURE
Mr. Pichit TechawisetSystems Engineerptechawiset@paloaltonetworks.com
Changing data center characteristics
§ Shift to dynamic, scalable, self-provisioned compute infrastructure
§ Eliminate compute silos and restrictions of where a workload can run
Today’sDataCenter
Virtualized Compute, Network and Storage
SoftwareDefinedDatacenter
(PrivateCloud)HybridCloud
Virtualized Compute, Network and Storage
Virtualized Compute, Network
and Storage
Public Cloud
Firewall
IPS/IDS
Anti-Malware
Random open ports increase datacenter exposure
1)TCPport88forKerberosAuthentication
2)TCP389forLDAP
3)TCP&UDP445forSMB/CIFS/SMB2
3)TCPandUDPport464forKerberosPasswordChange
4)TCPPort3268&3269forGlobalCatalog
5)TCPandUDPport53forDNS
6)TCPandUDPDynamic- 1025to5000(WindowsServer2003)&startfrom49152to65535(WindowsServer2008)forDCOM,RPC, EPM
Example of Applications in DC
Applications Have Grown More Complex
5
Applications using multiple ports, multiple protocols to communicate
80
443 135
137
139
139
3200 3300 3600 8100
5223
50000 – 59,999
53 3389 42 4424 8 13
15 17 445 1024 123 507 750 88+64 389 636
3268
42424
161
80, 443, 135, 137, 139 3200, 3300, 8000, 3600, 8100, 50013, 50014, 65000
443, 3478, 5223, 50,000-59,999
3389, 53, 42, 8, 13, 15, 17, 137, 138, 139, 445, 1025, 123, 507,
750, 88+464, 389, 636, 3268, 445,
161, 162, 42424, 691, 1024-65535
Datacenter applications are heavily targeted
• Crunchy perimeter, gooey interior?
21% MS-RPC
15%
Web
Browsing
11% SMB
10%MS-SQL
Monitor
10%
MS-Office
Communicator
4%
SIP
3%Other
2%Active
Directory
2%RPC
1% DNS
25%
MS-SQL
10 out of 1395 applications generated
97% of the exploit logs
Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.
9 of these were datacenter
applications
A notional enterprise
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
User Land
DMZ
Ingress/Egress
Data Center / Infrastructure
Internet
DC Core IS Data Repo
WebmailPartner
PortalWebsit
e
Attacker
Now for the adversary infrastructure
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Internet
Adversary Infrastructure
Malware
ServerC2
Server
Exfil
Server
Hi
Direct attack to the server
• Another established C2 channel variant
9 | ©2014, Palo Alto Networks. Confidential and Proprietary.
User Land
DMZ
Ingress/Egress
Data Center / Infrastructure
Internet
DC Core IS Data Repo
WebmailPartner
PortalWebsit
e
Adversary Infrastructure
Malware
ServerC2
Server
Exfil
Server
Establish
C2
Direct exploitation
loads malware
Threat Prevention
Protections remove threats
from wanted traffic
Visibility into all types of threats
for all traffic & applications
applications
SSL
.zip
URLs
files
SMTP
TCP
features
vulnerabilitiesCnC
viruses
malware
drive-by downloadsmalicious DNS
IPS & ANTI-MALWARE
Landing area
Attack client and move to another zone
11 | ©2014, Palo Alto Networks. Confidential and Proprietary.
User Land
DMZ
Ingress/Egress
Data Center / Infrastructure
Internet
DC Core IS Data Repo
WebmailPartner
PortalWebsit
e
Adversary Infrastructure
Malware
ServerC2
Server
Exfil
Server
Information
exfiltrationMalware automatically
captures information
WannaCrypt Ransomware
12 | © 2015, Palo Alto Networks. Confidential and Proprietary.
13 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Source: https://www.europol.europa.eu/wannacry-ransomware
Landing area
Attack client and move to another zone
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.
User Land
DMZ
Ingress/Egress
Data Center / Infrastructure
Internet
DC Core IS Data Repo
WebmailPartner
PortalWebsit
e
Adversary Infrastructure
Malware
ServerC2
Server
Exfil
Server
Information
exfiltrationMalware automatically
captures information
Lateral movement in client zone
Find another computers to compromise
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
User Land
DMZ
Ingress/Egress
Data Center / Infrastructure
Interne
t
DC Core IS Data Repo
WebmailPartner
PortalWebsit
e
Adversary Infrastructure
Malware
ServerC2
Server
Exfil
Server
More
malware
Establish
C2Malware compromise
another computer
Lateral movement to server zone
• How an attacker moves through the network – lateral movement
16 | ©2014, Palo Alto Networks. Confidential and Proprietary.
User Land
DMZ
Ingress/Egress
Data Center / Infrastructure
Interne
t
DC Core IS Data Repo
WebmailWebsit
e
Adversary Infrastructure
Malware
ServerC2
Server
Exfil
Server
Partner
Portal
Command and Control (C2)
• Lateral movement performed until target assets are reached
17 | ©2014, Palo Alto Networks. Confidential and Proprietary.
User Land
DMZ
Ingress/Egress
Data Center / Infrastructure
Internet
DC Core IS Data Repo
WebmailWebsit
e
Adversary Infrastructure
Malware
ServerC2
Server
Exfil
Server
Lateral
movement
commands
Deepest
compromise
Backup foothold
assets may be set up
Partner
Portal
Compromise all zone
• C2 ultimately enables the attacker’s endgame, Actions on Objectives
18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
User Land
DMZ
Ingress/Egress
Data Center / Infrastructure
Internet
DC Core IS Data Repo
WebmailWebsit
e
Adversary Infrastructure
Malware
ServerC2
Server
Exfil
Server
FTW
Objective
based
commands
Information
exfiltration
Dump domain
credentials
Steal repository
information
Steal local credentials
Deface or host
malware from siteSteal local
information
Partner
Portal
Security challenge #1
• Firewall placement is based on layer 3 segmentation
• Places physical network constraints on your virtual
network
• Unable to transparently insert security into traffic flow
Physical security device cannot see the East-West traffic
MS-SQL SharePoint Web Front End
Security challenge #2
• Applications of different trust levels now run on a single server
• Port and protocol-based security is not sufficient
• VM-VM traffic (east-west) may not be inspected
Incomplete security features on existing virtual security solutions
MS-SQL SharePoint Web Front End
Security challenge #3
• Application provisioning can occur in
minutes; attribute changes are
frequent
• Security approvals and configuration
changes may take weeks
• Removal of old servers is slow or
does not occur
• Dynamic security policies that
understand VM context are needed
Static policies cannot keep pace with dynamic workload deployments
VM-Series Virtual Firewall
Supported Virtualization Platforms
Enable and protect datacenter applications
Traditional segmentation
§ Applications and data isolated by policy
§ Users granted access based on need
§ Traffic is protected from threats (exploits
& malware)
Segmentation with Zero Trust principles
§ VMs and data isolated by policy
§ Users granted access based on need
§ VM-to-VM traffic is protected from threats
(exploits &malware)
Security
Application
Network
Panora
ma
VM-Series for VMware
• VM-SeriesdeployedasguestVMsonVMwareESXi
• Controlandprotecttrafficinto,andacrossthe
virtualnetwork
• ProtectVM-to-VMtrafficfromlateralthreat
movement
VM-Series for VMware vSphere (ESXi)
• VM-SeriesforNSXdeployedasaservicewith
VMwareNSXandPanorama
• Automateddeployment,transparenttraffic
steering,dynamiccontext-sharing
• IdealforEast-Westtrafficinspection
VM-Series for VMware NSX
SophisticatedSecurity
Challenges
Applicationsarenotlinkedtoport&protocols
Distributeduseranddevicepopulation
UnknownMalware,Exploitation,C&C
The Need for a Comprehensive Security Solution
VMware NSX Platform
NSX Distributed Firewall
VM level zoning without
VLAN/VXLAN dependencies
Line rate access control traffic
filtering
Distributed enforcement at
Hypervisor level
Palo Alto Networks Next
Generation Security
Next Generation Firewall
Protection against known and
unknown threats
Visibility and safe application
enablement
User, device, and application
aware policies
Simplified Automation workflows for NSX integration
Advanced Security Policies
API Integration Quarantine
Security GroupsCreation
Traffic Redirection
• Automated Security
policy creation
• Tag configuration and
automated workload
quarantine
NSX Admin
(Performs Step 2)Security Admin
(Performs Steps 1 & 3)
Automated security policy creation workflow
PCI
Define security group
membership within NSX2
Create dynamic address
groups within Panorama
PCI DMZ
PROD DEV
1
Automated update of security groups
information to NSX manager1
Automated creation of redirection policies on NSX manager3
Create security policies in Panorama based on security groups3
VM-Monitoring for Software Define Data Center
Scale In / Scale Out for Elastic Applications
30 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Traps
Advanced Endpoint Protection
Traps Prevents Known & Unknown Threats from Compromising Endpoints
31 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Pursue
Objectives
Conduct
Reconnaissance
Establish
Control Channel
Compromise
Endpoint
Ta
rge
ted
Att
ack S
eq
ue
nce
Execute Malicious
Programs
Exploit Software
Vulnerabilities
Traps prevents both
known and unknown malware
from infecting endpoints.
Traps prevents both
known and unknown exploits,
including zero-day exploits.
Online
Offline
On-Prem
Off-Prem
Key takeaways
PREVENTION IS POSSIBLE…
• PRECISION CONTROL AND IT-LEVEL VISIBILITYReduce attack surface, stop threats
...with the right architecture.
• PLATFORM BREADTH AND INTEGRATIONDisrupt the advanced attack lifecycle (feedback + automation)
integrate with people, processes, and IT architectures
©2016, PaloAltoNetworks
Demo
33 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Attacker
192.168.217.130Firewall
Web
10.100.100.90
App
10.100.100.95
10.100.100.254192.168.217.21