McAfee and Georgia State McAfee and Georgia State University---Taking Aim at Network University---Taking Aim at Network Intruders With Intrushield’s Intruders With Intrushield’s Intrusion Prevention SystemIntrusion Prevention System

Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator

Bill Boyle, Product Line Executive, Network Security

Today’s AgendaToday’s Agenda– A Little Background Info

– Bad Guys are Getting Smarter

– IntruShield, Not a Panacea (But Close)

– One Size Does Not Fit All (Child Domains)

– Application of Sigs – Not For the Faint of Heart

– Leveraging Stateful Firewall

– Unidirectionaly Blocking P2P

– Hypercommunicate

– Dealing with: “The FW Broke it”

– McAfee IntruShield Architecture

– Network Class Hardware

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by

permission of the author. To disseminate otherwise or to republish requires written permission from the author.

A Little A Little Background InfoBackground Info

• GSU’s information security program launched in 2000 w/one staff member (now have three)

• Decentralized information technology environment – success through tools, governance, & cooperation/collaboration w/stakeholders

• Information Security Department & Office of Disbursements recommended for ISO 27001 Certification by BSI in 2008 (incrementally expanding the scope)

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by

permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Bad Guys are Bad Guys are Getting SmarterGetting Smarter

• 2004 – Phishing

2008 – Spear Phishing (highly targeted/sophisticated)• 2004 – BOTs easy to find via monitoring IRC channels

2008 – Command/control w/common ports & encryption• 2004 – Exploits targeting OS vulnerabilities & some Apps

2008 – Exponential growth in exploits targeting Apps• 2004 – Users had to click on a link to obtain malware

2008 – Downloaders via compromised “legitimate” sites are killing us

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the

author. To disseminate otherwise or to republish requires written permission from the author.

IntruShield, Not a IntruShield, Not a Panacea (But Close)Panacea (But Close)

• IntruShield 4000 Appliance Deployed in August

of 2004 on the Perimeter (a lot of questions/uncertainty)• Advantages of IPS (Intrusion Prevention System) as

Opposed to Traditional FW Technologies• Lessons Learned & Best Practices

– One size does not fit all (unique policies for different colleges/departments)

– Incremental application of signatures w/change management & change control

– Leveraging stateful firewall in conjunction w/signatures– Success with unidirectionaly blocking P2P– Hypercommunicate – reporting , change management & control – Dealing with: its gotta be the FW

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by

permission of the author. To disseminate otherwise or to republish requires written permission from the author.

One Size Does Not Fit One Size Does Not Fit All (Child Domains)All (Child Domains)

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the

author. To disseminate otherwise or to republish requires written permission from the author.

Application of Sigs – Application of Sigs – Not For the Faint of Not For the Faint of HeartHeart

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by

permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Incremental Approach

Change Management & Control

Tie Filtration Back to Policy

Beware of the Complacency

No mods after Wednesday @ 3:00 PM

Which Direction?

Leveraging Stateful Leveraging Stateful FirewallFirewall

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by

permission of the author. To disseminate otherwise or to republish requires written permission from the author.

The “Nuclear Option” for Colleges & Departments

Protection for System IP(s) that Process “confidential” information (HIPAA, FERPA, Visa PCI…)

Unidirectionaly Unidirectionaly Blocking P2PBlocking P2P

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the

author. To disseminate otherwise or to republish requires written permission from the author.

February 2006 – wireless networks on verge of collapse due to ubiquitous P2P traffic & inordinate amount of copywrite infringement notifications – referenced Server Registration Policy & blocked outbound traffic

Totally blocked for areas that process “confidential” information

Hypercommunicate! Hypercommunicate!

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the

author. To disseminate otherwise or to republish requires written permission from the author.

• Daily Attack Reports to IT Managers – Outbound High & Medium Attacks – Increased Awareness Spawned Filtration Requests & Disciplinary Action• Monday afternoon change management change control meetings• Monthly Information Technology Security and Support Subcommittee (ITSSS) meetings• Email broadcasts – Example: system wide notification for remote access filtration (SSH, IRC, pcAnywhere, Remote Desktop Protocol, VNC…)

Dealing with: Dealing with: “The Firewall “The Firewall Broke It”Broke It”

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by

permission of the author. To disseminate otherwise or to republish requires written permission from the author.

80% of the “The Firewall Broke It” issues are quickly disproved via VPN session or generating an IntruShield report.

Other options include punching a “really big hole” or placing IntruShield in fiber bypass mode.

Real Events Are Found In Real-Time

Set and ForgetShort Learning Curve

Easy To Use

Network ClassAccurate

Dec

reas

e R

isk

Decrease

Exposure

DecreaseOpEx

IntruShield

McAfee IntruShield Architecture

30,000 to 30

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by

permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Network Class Network Class HardwareHardware

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by

permission of the author. To disseminate otherwise or to republish requires written permission from the author.

SMB & Branch Office Enterprise Perimeter Enterprise Service Providers

Enterprise CoreService Providers

100Mbps

1Gbps

600Mbps

200Mbps

5 Gbps

2 Gbps

10Gbps

I-1200

I-1400

I-2700

I-4000 I-4010

I-3000

Perform

ance, Scalabilit

y

and Connectiv

ity M-6050

M-8000

Network Class Network Class HardwareHardware

Real Events Are Found In Real-Time

Set and ForgetShort Learning Curve

Easy To Use

Network ClassAccurate

Dec

reas

e R

isk

Decrease

Exposure

DecreaseOpEx

IntruShield

McAfee IntruShield Architecture

30,000 to 30

Powerful Alert Analysis

McAfee IntruShield

McAfee

ePO

IntruShield’s Collaborative Security Infrastructure

McAfee IntruShield

McAfee IntruShield

McAfee ToPS

Enterprise

McAfee

Foundstone

Integration with McAfee NAC• Behavior-driven host quarantine and

Dynamic NAC for real-time post admission control of managed and un-managed hosts

Integration with ePO• Faster time-to-protection/time-to-resolution

with real-time visibility of system host details, top Host IPS attacks & AV/spyware events

Integration with Foundstone• Real-time Risk-Aware IPS with on-demand

threat relevancy and Foundstone ‘scan now’ functionality

ePO Host Details in ISM

ePO Host Details in ISM

Integration with IntruShield = Risk-Aware IPS

IntruShield Alert Viewer provides alert & risk relevancy, based on Foundstone scan data

Risk-AwareIntrusion

Prevention

Foundstone Integration

Real Events Are Found In Real-Time

Set and ForgetShort Learning Curve

Easy To Use

Network ClassAccurate

Dec

reas

e R

isk

Decrease

Exposure

DecreaseOpEx

IntruShield

McAfee IntruShield Architecture

30,000 to 30

Questions?Questions?

Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by

permission of the author. To disseminate otherwise or to republish requires written permission from the author.

• Tammy Clark – tlclark@gsu.edu• Bill Boyle – william_boyle@mcafee.com• William Monahan – wmonahan@gsu.edu