McAfee and Georgia State University---Taking Aim at Network Intruders With Intrushield’s Intrusion...
-
Upload
jemima-potter -
Category
Documents
-
view
213 -
download
0
Transcript of McAfee and Georgia State University---Taking Aim at Network Intruders With Intrushield’s Intrusion...
McAfee and Georgia State McAfee and Georgia State University---Taking Aim at Network University---Taking Aim at Network Intruders With Intrushield’s Intruders With Intrushield’s Intrusion Prevention SystemIntrusion Prevention System
Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator
Bill Boyle, Product Line Executive, Network Security
Today’s AgendaToday’s Agenda– A Little Background Info
– Bad Guys are Getting Smarter
– IntruShield, Not a Panacea (But Close)
– One Size Does Not Fit All (Child Domains)
– Application of Sigs – Not For the Faint of Heart
– Leveraging Stateful Firewall
– Unidirectionaly Blocking P2P
– Hypercommunicate
– Dealing with: “The FW Broke it”
– McAfee IntruShield Architecture
– Network Class Hardware
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
A Little A Little Background InfoBackground Info
• GSU’s information security program launched in 2000 w/one staff member (now have three)
• Decentralized information technology environment – success through tools, governance, & cooperation/collaboration w/stakeholders
• Information Security Department & Office of Disbursements recommended for ISO 27001 Certification by BSI in 2008 (incrementally expanding the scope)
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Bad Guys are Bad Guys are Getting SmarterGetting Smarter
• 2004 – Phishing
2008 – Spear Phishing (highly targeted/sophisticated)• 2004 – BOTs easy to find via monitoring IRC channels
2008 – Command/control w/common ports & encryption• 2004 – Exploits targeting OS vulnerabilities & some Apps
2008 – Exponential growth in exploits targeting Apps• 2004 – Users had to click on a link to obtain malware
2008 – Downloaders via compromised “legitimate” sites are killing us
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires written permission from the author.
IntruShield, Not a IntruShield, Not a Panacea (But Close)Panacea (But Close)
• IntruShield 4000 Appliance Deployed in August
of 2004 on the Perimeter (a lot of questions/uncertainty)• Advantages of IPS (Intrusion Prevention System) as
Opposed to Traditional FW Technologies• Lessons Learned & Best Practices
– One size does not fit all (unique policies for different colleges/departments)
– Incremental application of signatures w/change management & change control
– Leveraging stateful firewall in conjunction w/signatures– Success with unidirectionaly blocking P2P– Hypercommunicate – reporting , change management & control – Dealing with: its gotta be the FW
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
One Size Does Not Fit One Size Does Not Fit All (Child Domains)All (Child Domains)
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires written permission from the author.
Application of Sigs – Application of Sigs – Not For the Faint of Not For the Faint of HeartHeart
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Incremental Approach
Change Management & Control
Tie Filtration Back to Policy
Beware of the Complacency
No mods after Wednesday @ 3:00 PM
Which Direction?
Leveraging Stateful Leveraging Stateful FirewallFirewall
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
The “Nuclear Option” for Colleges & Departments
Protection for System IP(s) that Process “confidential” information (HIPAA, FERPA, Visa PCI…)
Unidirectionaly Unidirectionaly Blocking P2PBlocking P2P
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires written permission from the author.
February 2006 – wireless networks on verge of collapse due to ubiquitous P2P traffic & inordinate amount of copywrite infringement notifications – referenced Server Registration Policy & blocked outbound traffic
Totally blocked for areas that process “confidential” information
Hypercommunicate! Hypercommunicate!
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires written permission from the author.
• Daily Attack Reports to IT Managers – Outbound High & Medium Attacks – Increased Awareness Spawned Filtration Requests & Disciplinary Action• Monday afternoon change management change control meetings• Monthly Information Technology Security and Support Subcommittee (ITSSS) meetings• Email broadcasts – Example: system wide notification for remote access filtration (SSH, IRC, pcAnywhere, Remote Desktop Protocol, VNC…)
Dealing with: Dealing with: “The Firewall “The Firewall Broke It”Broke It”
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
80% of the “The Firewall Broke It” issues are quickly disproved via VPN session or generating an IntruShield report.
Other options include punching a “really big hole” or placing IntruShield in fiber bypass mode.
Real Events Are Found In Real-Time
Set and ForgetShort Learning Curve
Easy To Use
Network ClassAccurate
Dec
reas
e R
isk
Decrease
Exposure
DecreaseOpEx
IntruShield
McAfee IntruShield Architecture
30,000 to 30
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Network Class Network Class HardwareHardware
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
SMB & Branch Office Enterprise Perimeter Enterprise Service Providers
Enterprise CoreService Providers
100Mbps
1Gbps
600Mbps
200Mbps
5 Gbps
2 Gbps
10Gbps
I-1200
I-1400
I-2700
I-4000 I-4010
I-3000
Perform
ance, Scalabilit
y
and Connectiv
ity M-6050
M-8000
Network Class Network Class HardwareHardware
Real Events Are Found In Real-Time
Set and ForgetShort Learning Curve
Easy To Use
Network ClassAccurate
Dec
reas
e R
isk
Decrease
Exposure
DecreaseOpEx
IntruShield
McAfee IntruShield Architecture
30,000 to 30
Powerful Alert Analysis
McAfee IntruShield
McAfee
ePO
IntruShield’s Collaborative Security Infrastructure
McAfee IntruShield
McAfee IntruShield
McAfee ToPS
Enterprise
McAfee
Foundstone
Integration with McAfee NAC• Behavior-driven host quarantine and
Dynamic NAC for real-time post admission control of managed and un-managed hosts
Integration with ePO• Faster time-to-protection/time-to-resolution
with real-time visibility of system host details, top Host IPS attacks & AV/spyware events
Integration with Foundstone• Real-time Risk-Aware IPS with on-demand
threat relevancy and Foundstone ‘scan now’ functionality
ePO Host Details in ISM
ePO Host Details in ISM
Integration with IntruShield = Risk-Aware IPS
IntruShield Alert Viewer provides alert & risk relevancy, based on Foundstone scan data
Risk-AwareIntrusion
Prevention
Foundstone Integration
Real Events Are Found In Real-Time
Set and ForgetShort Learning Curve
Easy To Use
Network ClassAccurate
Dec
reas
e R
isk
Decrease
Exposure
DecreaseOpEx
IntruShield
McAfee IntruShield Architecture
30,000 to 30
Questions?Questions?
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
• Tammy Clark – [email protected]• Bill Boyle – [email protected]• William Monahan – [email protected]