LINK DOWNLOAD MIỄN PHÍ TÀI LIỆU "Tài liệu White Paper - Modern Network Security: The Migration to Deep Packet Inspection pptx": http://123doc.vn/document/1036181-tai-lieu-white-paper-modern-network-security-the-migration-to-deep-packet-inspection-pptx.htm
White Paper: Th e Mig ration to Deep Packet Inspection
One of the most significant aspects of DPI is that it is a service-based technology.
Unless the security appliance knows what threat signatures or anomalies it is
looking for, it is helpless. The "workhorse" DPI service is typically called Intrusion
Prevention Service (IPS). IPS provides the security appliance with a frequently
updated library of threat signatures, heuristic instructions etc., in order to insure it
is protecting the network from current threats.
A major impact of IPS (and the
other DPI-oriented technolo-
gies described below) is that the
security appliance is no longer
a static element that sits in the
network.
The security appliance is now a
dynamic threat prevention system that
requires constant, real-time updates to
its attack signature libraries, URL lists,
virus definition files, etc. to ensure the
network is protected against threats
that are present this hour… as well
as those of last week, last month and
last year.
Viruses
Viruses (and Worms) are a class of attack whereby an infected attachment or
download causes damage to a host system or network. The damage can range
from minor (client DoS attack) to catastrophic (full-blown corruption of critical
stored information or system registries). A critical trend that is resulting from the
increased sophistication of Viruses is the rapidly decreasing "window of infection".
In July of 2001, it took the Code Red virus just under 6 hours to infect 359,000
clients. Just eighteen months later, the Slammer worm infected 75,000 clients in
under 30 minutes. The threats are real… and spread fast. Security vendors have
responded by trying to decrease their own "windows of inoculation"… which is the
time it takes to detect a threat, issue a patch release, and download it to its host
systems under management.
There is also a new class of virus-related attack called a 'blended threat'. A
blended threat is a 'perfect attack' whereby a virus is accompanied by a number
of other attack and intrusion techniques to maximize penetration and damage. A
good illustration of this type of attack is the SoBig virus detailed below.
SoBig and Sasser are good examples of how complicated it has become to detect
and prevent sophisticated application-layer attacks. To protect against these
types of attack, it is mandatory to have IPS and Gateway Antivirus (GAV) installed
and activated in the network, whether it is provided by a Deep Packet Inspection
IPS
Spyware
Anti-Virus
LAN
etc
DPI Firewall
with Security
Services
Signature
Updates
Egress
Traffic
Ingress
Traffic
Figure 2 - The security appliance is now a dynamic system that requires
regular signature updates
www.esoft.comPAGE 6
White Paper: Th e Mig ration to Deep Packet Inspection
Firewall or by a standalone Content Security appliance as described further in this
paper. Not only that, but the IPS/GAV systems must be fed with quality, real-time
signatures to ensure rapid response to the threats.
3 - Financial rewards for hackers with the advent of Spyware and Phishing
The Internet has evolved from being a general information source to a critical
enabler of international commerce. Because of the sensitive type of information
that now flows freely over the Internet, a new breed of threat aims at obtaining
this information… sometimes honestly and sometimes with malicious intent.
Because the information obtained in these types of attacks has value, hackers
are being financially compensated for their work, often by major public corpora-
tions; sometimes by organized crime. This is a particularly disturbing trend, since
it is attracting the best and the brightest one-time programmers into the black-hat
world of hacking and malware generation.
Spyware
Spyware (and Adware) is one of the most misunderstood of the new generation of
application-layer threats because there is no consensus on what defines a threat
(or more appropriately, what the difference is between 'annoying' Adware and a
true threat). There are three general classes of Spyware:
• Harmless-but-annoying
Generally consists of actions such as changing the default home page of
your browser, or unsolicited/untargeted pop-up ads.
• Information-collecting
Cookies are the most common type of information collecting mechanism,
but simple keystroke and activity loggers are becoming more common. This
class of Spyware is generally interested in collecting basic information about
you, the sites you visit, and other preferences so that a 3rd party can send
you targeted ads or promotions. There is generally not malicious intent, but
many would call this an invasion of privacy.
• Malicious
Full keystroke logging and collecting private information with the intent of
sending the information to a collection server. The information is collected,
and sold to 3rd parties who have varying interests. Even today, this type of
Spyware can be downloaded instantly on a Client device simply by visiting
a URL… no further clicking necessary. This type of Spyware is illegal and
critical for an organization to detect and stop.
A Closer Look: The SoBig virus
SoBig is a mass-mailer virus that sends itself to all email addresses in a user's address
books (with the following extensions: wab, dbx, htm, html, eml, txt). The email is supposedly
sent by Microsoft support (support@microsoft.com) with non-descript Subject text. When the
user opens the email and attachment, code is executed that infects the host computer, then
emails itself (using its own SMTP engine) to other unsuspecting computers. The result is
a massive bot-net of Zombie machines that self-propagates and amplifies the virus and its
damaging effects.
The problem with SoBig was not the malicious nature of the attack itself, but that 1) it
consumes massive amounts of bandwidth bringing networks to a crawl, and 2) it opens ports
on the infected machine, making it vulnerable to hackers using simple port scans (usually
with the goal of planting Trojans).
www.esoft.comPAGE 7
White Paper: Th e Mig ration to Deep Packet Inspection
To further add to the complexity, there are three major Spyware delivery
mechanisms:
• Embedded Installs
The most 'honest' of the three mechanisms, embedded installs are typically
Spyware/Adware elements that are embedded into programs or services
that are downloaded from the web. For example, BigCorp.com might pay
a bundling agreement with Claria (Gator eWallet), where they pay Claria $1
per client install.
• Drive-by Installs
In this method, a banner ad or popup attempts to install software on a PC,
usually through the ActiveX controls distributed within Windows and by
default enabled in Internet Explorer. Depending on the security settings on
the PC browser, the Spyware downloads silently or was downloaded when
the user clicked 'Yes' in the installer dialogue box. In many cases, Drive-
by's also take advantage of browser exploits that can force an unsuspecting
PC browser to automatically download and execute code that installs the
Spyware.
• Browser Exploit
As described above, targets vulnerabilities in the web browser code to install
Spyware. A classic example is the Internet Explorer iFrame vulnerability.
Because IE is such a targeted browser, many IT departments are migrating
to alternate browsers such as Mozilla's Firefox. This is only putting off the
inevitable, however, as every browser that gains in popularity will eventually
be the target of Spyware attacks.
Spyware is difficult to stop because it requires so many technologies to detect and
prevent the exploit. A robust Spyware prevention architecture will consist of both
client/server and gateway-based elements.
Client and server based Anti-Spyware software will detect and try to prevent users
from accessing known bad sites, and to a limited extent provide more advanced
functionality to detect suspicious behavior from actual downloads and ActiveX
controls. The software will also inspect individual system memory, system regis-
tries, start-up files and other stored items to detect and remove Spyware. While
necessary, client and server based Anti-Spyware software is not enough.
Since Spyware is carried by so many delivery mechanisms and is getting so
sophisticated, an additional gateway-based Anti-Spyware element is required.
The gateway element not only reinforces URL filtering to prevent access to known
bad sites, but provides thorough IPS functionality that detects abnormal behavior
from ActiveX Controls and Java Applets and the like, and also provides Anti-virus
functionality that inspects attachments for malicious code that installs Spyware.
The gateway is also an effective tool for scanning both Instant Messaging (IM)
and peer-to-peer protocols/programs, which are a growing target for Spyware and
other attacks. Perhaps most importantly, a gateway-based Anti-Spyware solution
mitigates the harmful outbound effects of pre-infected client and server devices
(that might be attempting to contact a collection server on the Internet to deliver
sensitive personal or company data, for instance).
www.esoft.comPAGE 8
White Paper: Th e Mig ration to Deep Packet Inspection
Phishing and Pharming
By the end of 2006, almost 70% of all malicious e-mail traffic was phishing e-mail.
Similar to Spyware, there is financial incentive for Phishing. Phishing comes in
many forms, but a common example is a malicious attack where criminal entity
sends an 'official' email to an unsuspecting email user, asking that they go to a
website and 'validate' their username/password and other account information, as
shown in the Figure 3 below.
In this example, a bogus PayPal® email was sent to all users in a corporate
network. The email stated that the users PayPal account was suspended because
of suspicious account activity from a 'foreign' IP address. The disturbing part of
this Phish attack is that the user, upon clicking the link to access their account,
is presented with an 'official' PayPal login page with their account login pre-
populated, so nothing looks out of the ordinary… convenient in fact. The only
thing the user has to do is enter their password, and the scam is complete. In the
case of this specific scam, the 'collection' website had already been abandoned
by the criminal entity, as shown in Figure 4. Note the sophistication of the refused
URL (http://83.16.186.158/.cgi/paypal/cgi-bin/webscrcmd_login.php), which to
the casual Internet user looks like it has all of the right address elements to look
official, but to an experienced IT manager, there are several red flags.
Figure 3 - Example Phishing email
www.esoft.comPAGE 9
White Paper: Th e Mig ration to Deep Packet Inspection
Phishing scams can get quite sophisticated; it is not unusual for a hacker to re-
create an entire web-site in an effort to look legitimate. Worse yet, there are
other Phishing-related threats that are much more serious. With Phishing, an
informed user can
fairly intelligently
determine if what they
are being asked to
do is normal practice.
With a new threat
such as Pharming,
also called DNS route
poisoning, the DNS
servers themselves
are compromised,
and the DNS entries
are modified to point
to criminal websites.
With a good job
of re-creating the
target web site,
Pharming can be
very hard to detect.
In a 'nightmare'
scenario the user types in their target URL, where the compromised DNS server
sends them to an innocuous looking, but malicious website. The user then types
in their username and password in the bogus web server, which the criminals
collect. Finally, before the user knows anything malicious has happened, they
are re-directed to the official web server, where they are already logged in and
can access their account as usual. All of this is completely transparent to the end
user. While this sounds far-fetched, it is an increasingly regular occurrence.
Like Spyware, Phishing is a complicated threat to detect and prevent. The IT
administrator's security schema must not only have Spyware software as a
mandatory element on the client side, but also at the edge of the network itself on
the security gateway. Not only will the gateway prevent Phishing from occurring
in the first place, but like Anti-Spyware, it will help mitigate the outbound effects of
users who inadvertently accessing something they should not be.
Figure 4 - Abandoned Phishing site
www.esoft.comPAGE 10
White Paper: Th e Mig ration to Deep Packet Inspection
4 - Governmental regulations compliance
Another important trend affecting network security is the growing number of
governmental regulations in the US and abroad. One popular example of
recent US regulation is the Health Insurance Portability and Accountability Act
(HIPAA), which regulates how and when sensitive medical patient data can be
transmitted. This regulation mandates that health organizations have Intrusion
Prevention and secure
connectivity (e.g.
VPN) technologies
in place to ensure
conformance. Another
recent US regulation
is the Children's
Internet Protection Act
(CIPA), which aims at
protecting minors from
pornography, obscenity
and other material
harmful to minors.
CIPA conformance
mandates that all
publicly accessible
Internet connections
are protected by URL
and Web Content
Filtering, which ensures
only "proper" sites
are accessible from
the PC. These are
examples of US regulations; almost every nation has, or will soon have, similar
regulations in place.
Where the government has been lenient on conformance up to this point, they
are starting to become much more strict on enforcing and penalizing violators.
Figure 5 - Official HIPAA website
www.esoft.comPAGE 11
White Paper: Th e Mig ration to Deep Packet Inspection
5 - Security as a tool to increase workforce productivity
One of the most profound impacts of security is how it is utilized across all types
of organizations to increase operational efficiencies through enhanced workforce
productivity. There are two main technologies that are helping achieve this:
Web Security and Policy Enforcement
It is no longer a secret that a good amount of an average employee's day can
be spent online doing non-work-related activities. Web surfing, online shopping,
online gambling, stock trading and even online dating are a few of the more
common uses of company Internet resources.
In what many
employees might
consider a breach of
privacy, the company
employing URL
filtering technology
can monitor and report
on individual Internet
usage, and can also
set scheduled restric-
tions on what types
of sites employees
are allowed to access
throughout the day. If
the company is using
this type of technology,
eSoft highly recom-
mends that the HR
department make
public notice that this
technology is being
used, and also clearly state (in the employee handbook, for example) the rules
and restrictions of employee Internet usage. The figure above shows a typical
screen an eSoft user will see when they are trying to access a site that was
banned by an IT department employing eSoft SiteFilter technology, described later
in this document.
URL filtering is also a necessary tool for reducing liability that stems from illegal
and unethical use of the Internet in public places or organizations. A classic
example of this is where an employee (or Internet café patron, for that matter) is
accessing a porn site, and another person walks by, witnesses the activity, and
sues the company for emotional distress or a hostile work environment. Libraries
and schools, by their very nature, MUST have this type of technology deployed.
In addition to workforce productivity and liability protection, URL Filtering
technology is also the first line of defense at preventing users from accessing
Spyware sites. As noted in the previous section, however, Spyware is a much
more complicated problem than URL filtering alone can handle.
Figure 6 - Official HIPAA website
www.esoft.comPAGE 12
White Paper: Th e Mig ration to Deep Packet Inspection
Spam
Spam has grown into a major problem for all companies and organizations. Spam
is especially problematic for public email addresses (listed on a website, for
instance), or for common email addresses (support@your_company.com). Spam
is also the primary delivery mechanism for Phishing attacks, so its importance
has grown over the years. In 2006, over 86% of all e-mail was classified as spam.
Over 63% of this spam originates from new or unknown sources.
Spam is best dealt with at the security gateway. The reason for this is simple…
once Spam emails are inside the network, they are already consuming precious
network resources (such as storage, bandwidth and mail server CPU cycles).
If prevented before they ever get to a mail server, Spam can become a more
manageable nuisance and threat. Another reason Spam is best dealt with at the
security gateway is the sophistication of the tools and techniques that are possible
to implement at the gateway. Technologies such as word filtering, Bayesian
filtering, black and white lists, real-time blackhole lists (RBLs), DNS MX record
lookups, reverse DNS lookups, sender policy framework (SFP) compliance and
other techniques are all mandatory for effective Spam mitigation. A good gateway
Spam filter will reject Spam in such a way that the Spammer will eventually
remove the target from their Spam list.
For many technologies such as Bayesian filtering, it is necessary to have many,
many samples of known spam, and known ham (non-spam) to begin the heuristic
process of self-learning. This is another advantage of Anti-Spam technology at
the gateway, where there is visibility into every email coming into or exiting the
network.
www.esoft.comPAGE 13
White Paper: Th e Mig ration to Deep Packet Inspection
Part 2 - Issues with Current Security Solutions
Whether dealing with Intrusion attempts through application buffer overflows, Spyware
through drive-by installs, Phishing through deceiving emails or any of the other threats
described in this paper, there is one capability the security appliance requires above all
else: Deep Packet Inspection (DPI) intelligence.
To understand why, it is useful to look at the makeup of a typical Ethernet frame and how a
traditional firewall processes it.
As shown in the Ethernet frame above, Stateful Packet Inspection (SPI) essentially has
access to Layers 3 and 4 of the OSI stack (sometimes Layer 2, as well). SPI firewalls
perform the 'classic 5-tuple lookup'… that is, they scan and make allow/deny decisions
based on:
1. Source transport layer address (typically TCP or UDP)
2. Destination transport layer address (typically TCP or UDP)
3. Source IP address
4. Destination IP address
5. Service type (e.g. FTP, HTTP, SMTP, POP3)
What does this really mean? Using a Post Office analogy, the SPI firewall essentially looks
at the To and From addresses on a package, as well as the package type (tube, box, letter,
etc), and makes a decision about whether to mail the package based on pre-defined rules.
Nothing more and nothing less. There is no knowledge of what is inside the package.
SPI firewalls are generally regarded as "network-layer" security devices, as they provide no
protection for anything above Layer 4.
Ethernet
Internet
Protocol
(IP)
Transport
Layer
(TCP/UDP)
Data
Application LayerHeader Layers
Stateful Packet Inspection
L7L4L3L2
Figure 7 - Ethernet frame and how Stateful Packet Inspection (SPI) views it
www.esoft.comPAGE 14
White Paper: Th e Mig ration to Deep Packet Inspection
The figure below shows the same Ethernet frame, but this time with application-layer
information.
In addition to the classic 5-tuple lookup, DPI firewalls have "application
awareness". Application awareness is a very broad term, but in general it means
that the security appliance understands L7 protocols such as HTTP, SMTP, POP3,
IMAP and FTP, and also understands the actual applications that rely on those
protocols. For instance, Microsoft Outlook Exchange Server relies heavily on the
SMTP protocol, Microsoft Explorer and Mozilla Firefox rely on the HTTP protocol,
etc. In addition, there are custom protocols for applications such as Instant
Messaging, Microsoft SQL Server, Oracle Server, Siebel, etc.
DPI-capable appliances must also have the associated security services that allow
them to protect against Spyware, Viruses and other app-layer intrusions. Most
vendors, eSoft included, offer these services as optional software modules…
purchase the basic security appliance, and add services in an a la carte fashion
depending on network need.
As stated previously, the basic nature of network security has evolved to a
point where the MANDATORY services for any gateway security appliance
are Intrusion Prevention and Gateway Antivirus. Without these, the network
and its users are only partially protected.
Ethernet
Internet
Protocol
(IP)
Transport
Layer
(TCP/UDP)
Application LayerHeader Layers
Deep Packet Inspection
L7L4L3L2
Figure 8 - Ethernet frame and how Deep Packet Inspection (DPI) views it
Email (SMTP, POP3, IMAP)
Web (HTTP/S)
File Xfer (FTP, Gopher)
Instant Messanging
Peer-to-Peer Applications
Directory Services
Không có nhận xét nào:
Đăng nhận xét