1 opyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Security: “The four eyed monster” Joel Sible Security TM Juniper Networks
Dec 19, 2015
1Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security: “The four eyed monster”
Joel Sible
Security TMJuniper Networks
2Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Agenda Security landscape and its evolution
Challenges for the user and Universities
• Methods of University firewalling
Types of firewalls and their evolution
Layer 7 attacks and the response for mitigation
SSL VPNs: ubiquitous and secure access
Juniper Security Solutions
3Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Beneath The Surface…
4Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
All segments have real concern
• Service Providers
• Reliability, Bandwidth Piracy, Customer Data
• Security As a Differentiator
• Utilities
• Regulatory, Audit, SCADA Systems
• Financial Services
• GLB, Sarbanes-Oxley, Audit, SEC…
• Healthcare Related
• Privacy, Intellectual Property, Service continuity
• Federal, State & Local Government
• DHS Regs, HIPPA, Privacy, Hacktivism, Service continuity
• Universities
• Peer-to-Peer, RIAA
5Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Vulnerabilities
Vulnerabilities Over Time
0
5001000
15002000
25003000
35004000
4500
1995 1996 1997 1998 1999 2000 2001 2002 2003
Year
Vu
lnera
bilit
ies R
ep
ort
ed
CERT/CC - www.cert.org
6Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Vulnerabilities this week alone! 2004-07-27: RiSearch/RiSearch
Pro Open Proxy Vulnerability 2004-07-27: phpMyFAQ Image Manager Authentication Bypass Vulnerability 2004-07-27: Opera Web Browser Location Replace URI Obfuscation Weakness 2004-07-26: Sun Solaris 'ypbind' Unspecified Buffer Overflow Vulnerability 2004-07-26: Zero G InstallAnywhere Insecure Temporary File Creation Vulnerability 2004-07-26: OpenDocMan Access Control Bypass Vulnerability 2004-07-26: Apple Mac OSX Internet Connect Insecure Temporary File Handling Symbolic Link Vulnerability 2004-07-26: Subversion 'mod_authz_svn' Access Control Bypass Vulnerabilities 2004-07-26: Dropbear SSH Server Digital Signature Standard Unspecified Authentication Vulnerability 2004-07-26: Invision Power Board Index.php Query String Cross-Site Scripting Vulnerability 2004-07-26: MoinMoin Unspecified Privilege Escalation Vulnerability 2004-07-26: MoinMoin PageEditor Unspecified Privilege Escalation Vulnerability 2004-07-26: PostNuke Reviews Module Cross-Site
2004-07-26: PHP Strip_Tags() Function Bypass Vulnerability 2004-07-26: PHP memory_limit Remote Code Execution Vulnerability 2004-07-26: XLineSoft ASPRunner Multiple Vulnerabilities 2004-07-26: Nucleus CMS Action.PHP SQL Injection Vulnerability 2004-07-26: EasyWeb FileManager Module Directory Traversal Vulnerability 2004-07-24: EasyIns Stadtportal Site Parameter Remote File Include Vulnerability 2004-07-24: eSeSIX Thintune Thin Client Devices Multiple Vulnerabilities 2004-07-24: Microsoft Systems Management Server Remote Denial Of Service Vulnerability 2004-07-24: PostNuke Install Script Administrator Password Disclosure Vulnerability 2004-07-23: HP-UX SMTKFONT Remote Unauthorized Access Vulnerability 2004-07-23: HP-UX XFS Remote Unauthorized Access Vulnerability 2004-07-23: Ethereal Multiple Unspecified iSNS, SMB and SNMP Protocol Dissector Vulnerabilities 2004-07-23: Apache mod_userdir Module Information Disclosure Vulnerability 2004-07-23: Computer Associates Common Services Multiple Denial Of Service Vulnerabilities 2004-07-23: Nessus Insecure Temporary File Creation Vulnerabiliry
7Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
The Vulnerability & Threat Lifecycle
Before new vulnerability is known
New vulnerability discovered advisory
Exploit developed released to public
Worm released
time
Getting shorter Getting shorter
8Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Incidents (Realized Threats)
Incidents Over Time
0
20000
40000
60000
80000
100000
120000
140000
160000
1995 1996 1997 1998 1999 2000 2001 2002 2003
Year
Incid
en
ts R
ep
ort
ed
CERT/CC - www.cert.org
9Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Blended Threats / Worms
Slapper Slammer Code Red Nimda
Blaster Nachi /
Welchia Witty Sasser
10Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Shareware tools Password crackers
Keystroke loggers
GUI driven exploit engines
Publicly available exploit / vulnerability research
Worm customization tools
11Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Hacker fun….
12Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Here’s what he saw on his screen…
13Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
More hacker fun….
14Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Extortion
15Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Manipulation of Stock Market
16Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Today’s Security Challenges for Universities
Department Servers
DMZ
Finance
Univ
ADMIN
Students
Computer Labs
Public
Campus
Schools
Internet
Data Center
Increasing network vulnerabilities No trusted network Increasing application attacks
Growing need to provide secure, scalable access to internal/external users
Need to securely run your business
17Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Different Products, Different Levels of Security
00000000000000000000000000000 000000000000000000000000000 000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 0000 0000 0000 0000 0000 0000 0000 0000 0000
00
Deny Traffic
Deny Some Attacks
Application Traffic
Stateful Inspection Firewall
Purpose Protect network layer & access control
Attacks Protected
DoS, Port scans, IP Spoofing
Limitations Application-level attacks get in
Stateful Inspection
Proxy
Low performance, limited protocols, HA
Specific protocols
Terminates all sessions
Proxy Firewall
No attack protection, passive
None
Compliance monitoring
IDS
18Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Need for Pervasive Network & Application Attack Protection
00000000000000000000000000000 000000000000000000000000000 000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 0000 0000 0000 0000 0000 0000 0000 0000 0000
00
Deny Traffic
Deny Some Attacks
Application Traffic
Pervasive Security Requirements
• Firewall becomes application aware network and application-level attack protection
• Operate as network device good performance, more protocols, more attack coverage
• Enable analysis functions comprehensive logging
Detects Attacks
Drops Attacks
Intrusion Prevention
• Complement firewall 2nd layer of defense to prevent attacks
• Increase accuracy detect more attacks, reduce false alarms
• Simplify management rule-based, centralized control
NewFirewallRequirements
19Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Deep Inspection™ Firewall Delivers Network and Application level protection …
Stateful Inspection
Deep Inspection
00000000000000000000000000000 000000000000000000000000000 000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Deny Traffic
Deny Some Attacks
Application Traffic
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
Application Traffic
Reassemble, normalize, eliminate ambiguity
Protocol conformance Application Attack
Track sessions
Packets
Deep Inspection
20Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Antivirus Detect attacks at the file level based on patterns
AV deployed at desktop and mail servers
Gateway deployment growing as additional layer
DesktopAntivirus
First Layer
File / Mail Server
Antivirus
Second Layer
GatewayAntivirus
Third LayerCentral and Branch OfficesCentral and Branch OfficesRemote SiteRemote Site
21Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Enterprise Run VPN Solutions
Site-to-siteVPN
Fixed-sitetelecommuter
TraditionalRemoteaccess
WholeEnterprise
Remoteaccess
Extranetaccess
IPSec VPN SSL VPN
IntranetAccessControl
Secure Meeting
22Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Juniper’s Layered Security Solutions
23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security Product Line
Intrusion Detection and Prevention Solutions4 products that help Intrusion prevention appliance protects network, critical resources from attacks through detection and prevention
Integrated Firewall/IPSEC VPN SolutionsAppliances with various security options, interface, power supply and performance configurations for large/med enterprise and Service Providers
Central Policy-based Management Solution3-tier system provide role-based administration and central control and logging of all NS FW/VPN solutions
Secure MeetingEnables secure cross-enterprise online meetings and application sharing
Secure Access SSL VPN Solutions3 product lines for secure LAN, extranet and intranet access to mobile employees, customers and partners with no client software deployment or changes to LAN infrastructure
24Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Education & Research Customers
Stanford University
Brown University
University of Buffalo
Gallaudet University
University of Miami
Indiana University
Johns Hopkins University
UCSF
Cornell University
DePaul University
Massachusetts Maritime Academy
Japan Advanced Institute of Science and Technology
Michigan State University
Oklahoma State University
UC Berkeley
Tufts University
Creighton University
Amherst
California State
Cambridge University
Cardiff University
Oxford University
Osaka University
Columbia University
Tokyo University
Oregon State
University of Pittsburgh
25Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
It’s All About Risk
26Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Managing Risk
$$X X
Risk = ________
Vulnerability Threat Asset Value
Countermeasures
27Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Points to remember There is no “silver bullet”
Exploitation is no longer the domain of the specialist hacker
People & their behavior is the weakest link
Security policy outweighs point product
Security is a revenue generation issue
28Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Thank you