1 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential Security: “The four eyed monster” Joel Sible Security TM Juniper.

1Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net

Security: “The four eyed monster”

Joel Sible

Security TMJuniper Networks


Agenda Security landscape and its evolution

Challenges for the user and Universities

• Methods of University firewalling

Types of firewalls and their evolution

Layer 7 attacks and the response for mitigation

SSL VPNs: ubiquitous and secure access

Juniper Security Solutions


Beneath The Surface…


All segments have real concern

• Service Providers

• Reliability, Bandwidth Piracy, Customer Data

• Security As a Differentiator

• Utilities

• Regulatory, Audit, SCADA Systems

• Financial Services

• GLB, Sarbanes-Oxley, Audit, SEC…

• Healthcare Related

• Privacy, Intellectual Property, Service continuity

• Federal, State & Local Government

• DHS Regs, HIPPA, Privacy, Hacktivism, Service continuity

• Universities

• Peer-to-Peer, RIAA


Vulnerabilities

Vulnerabilities Over Time

0

5001000

15002000

25003000

35004000

4500

1995 1996 1997 1998 1999 2000 2001 2002 2003

Year

Vu

lnera

bilit

ies R

ep

ort

ed

CERT/CC - www.cert.org


Vulnerabilities this week alone! 2004-07-27: RiSearch/RiSearch

Pro Open Proxy Vulnerability 2004-07-27: phpMyFAQ Image Manager Authentication Bypass Vulnerability 2004-07-27: Opera Web Browser Location Replace URI Obfuscation Weakness 2004-07-26: Sun Solaris 'ypbind' Unspecified Buffer Overflow Vulnerability 2004-07-26: Zero G InstallAnywhere Insecure Temporary File Creation Vulnerability 2004-07-26: OpenDocMan Access Control Bypass Vulnerability 2004-07-26: Apple Mac OSX Internet Connect Insecure Temporary File Handling Symbolic Link Vulnerability 2004-07-26: Subversion 'mod_authz_svn' Access Control Bypass Vulnerabilities 2004-07-26: Dropbear SSH Server Digital Signature Standard Unspecified Authentication Vulnerability 2004-07-26: Invision Power Board Index.php Query String Cross-Site Scripting Vulnerability 2004-07-26: MoinMoin Unspecified Privilege Escalation Vulnerability 2004-07-26: MoinMoin PageEditor Unspecified Privilege Escalation Vulnerability 2004-07-26: PostNuke Reviews Module Cross-Site

2004-07-26: PHP Strip_Tags() Function Bypass Vulnerability 2004-07-26: PHP memory_limit Remote Code Execution Vulnerability 2004-07-26: XLineSoft ASPRunner Multiple Vulnerabilities 2004-07-26: Nucleus CMS Action.PHP SQL Injection Vulnerability 2004-07-26: EasyWeb FileManager Module Directory Traversal Vulnerability 2004-07-24: EasyIns Stadtportal Site Parameter Remote File Include Vulnerability 2004-07-24: eSeSIX Thintune Thin Client Devices Multiple Vulnerabilities 2004-07-24: Microsoft Systems Management Server Remote Denial Of Service Vulnerability 2004-07-24: PostNuke Install Script Administrator Password Disclosure Vulnerability 2004-07-23: HP-UX SMTKFONT Remote Unauthorized Access Vulnerability 2004-07-23: HP-UX XFS Remote Unauthorized Access Vulnerability 2004-07-23: Ethereal Multiple Unspecified iSNS, SMB and SNMP Protocol Dissector Vulnerabilities 2004-07-23: Apache mod_userdir Module Information Disclosure Vulnerability 2004-07-23: Computer Associates Common Services Multiple Denial Of Service Vulnerabilities 2004-07-23: Nessus Insecure Temporary File Creation Vulnerabiliry


The Vulnerability & Threat Lifecycle

Before new vulnerability is known

New vulnerability discovered advisory

Exploit developed released to public

Worm released

time

Getting shorter Getting shorter


Incidents (Realized Threats)

Incidents Over Time

0

20000

40000

60000

80000

100000

120000

140000

160000

1995 1996 1997 1998 1999 2000 2001 2002 2003

Year

Incid

en

ts R

ep

ort

ed

CERT/CC - www.cert.org


Blended Threats / Worms

Slapper Slammer Code Red Nimda

Blaster Nachi /

Welchia Witty Sasser


Shareware tools Password crackers

Keystroke loggers

GUI driven exploit engines

Publicly available exploit / vulnerability research

Worm customization tools


Hacker fun….


Here’s what he saw on his screen…


More hacker fun….


Extortion


Manipulation of Stock Market


Today’s Security Challenges for Universities

Department Servers

DMZ

Finance

Univ

ADMIN

Students

Computer Labs

Public

Campus

Schools

Internet

Data Center

Increasing network vulnerabilities No trusted network Increasing application attacks

Growing need to provide secure, scalable access to internal/external users

Need to securely run your business


Different Products, Different Levels of Security

00000000000000000000000000000 000000000000000000000000000 000000000000

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 0000 0000 0000 0000 0000 0000 0000 0000 0000

00

Deny Traffic

Deny Some Attacks

Application Traffic

Stateful Inspection Firewall

Purpose Protect network layer & access control

Attacks Protected

DoS, Port scans, IP Spoofing

Limitations Application-level attacks get in

Stateful Inspection

Proxy

Low performance, limited protocols, HA

Specific protocols

Terminates all sessions

Proxy Firewall

No attack protection, passive

None

Compliance monitoring

IDS


Need for Pervasive Network & Application Attack Protection

00000000000000000000000000000 000000000000000000000000000 000000000000

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000 0000 0000 0000 0000 0000 0000 0000 0000 0000

00

Deny Traffic

Deny Some Attacks

Application Traffic

Pervasive Security Requirements

• Firewall becomes application aware network and application-level attack protection

• Operate as network device good performance, more protocols, more attack coverage

• Enable analysis functions comprehensive logging

Detects Attacks

Drops Attacks

Intrusion Prevention

• Complement firewall 2nd layer of defense to prevent attacks

• Increase accuracy detect more attacks, reduce false alarms

• Simplify management rule-based, centralized control

NewFirewallRequirements


Deep Inspection™ Firewall Delivers Network and Application level protection …

Stateful Inspection

Deep Inspection

00000000000000000000000000000 000000000000000000000000000 000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Deny Traffic

Deny Some Attacks

Application Traffic

00000000000000000000000000000000

00000000000000000000000000000000

00000000000000000000000000000000

00000000000000000000000000000000

Application Traffic

Reassemble, normalize, eliminate ambiguity

Protocol conformance Application Attack

Track sessions

Packets

Deep Inspection


Antivirus Detect attacks at the file level based on patterns

AV deployed at desktop and mail servers

Gateway deployment growing as additional layer

DesktopAntivirus

First Layer

File / Mail Server

Antivirus

Second Layer

GatewayAntivirus

Third LayerCentral and Branch OfficesCentral and Branch OfficesRemote SiteRemote Site


Enterprise Run VPN Solutions

Site-to-siteVPN

Fixed-sitetelecommuter

TraditionalRemoteaccess

WholeEnterprise

Remoteaccess

Extranetaccess

IPSec VPN SSL VPN

IntranetAccessControl

Secure Meeting


Juniper’s Layered Security Solutions


Security Product Line

Intrusion Detection and Prevention Solutions4 products that help Intrusion prevention appliance protects network, critical resources from attacks through detection and prevention

Integrated Firewall/IPSEC VPN SolutionsAppliances with various security options, interface, power supply and performance configurations for large/med enterprise and Service Providers

Central Policy-based Management Solution3-tier system provide role-based administration and central control and logging of all NS FW/VPN solutions

Secure MeetingEnables secure cross-enterprise online meetings and application sharing

Secure Access SSL VPN Solutions3 product lines for secure LAN, extranet and intranet access to mobile employees, customers and partners with no client software deployment or changes to LAN infrastructure


Education & Research Customers

Stanford University

Brown University

University of Buffalo

Gallaudet University

University of Miami

Indiana University

Johns Hopkins University

UCSF

Cornell University

DePaul University

Massachusetts Maritime Academy

Japan Advanced Institute of Science and Technology

Michigan State University

Oklahoma State University

UC Berkeley

Tufts University

Creighton University

Amherst

California State

Cambridge University

Cardiff University

Oxford University

Osaka University

Columbia University

Tokyo University

Oregon State

University of Pittsburgh


It’s All About Risk


Managing Risk

$$X X

Risk = ________

Vulnerability Threat Asset Value

Countermeasures


Points to remember There is no “silver bullet”

Exploitation is no longer the domain of the specialist hacker

People & their behavior is the weakest link

Security policy outweighs point product

Security is a revenue generation issue


Thank you

1 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential Security: “The four eyed monster” Joel Sible Security TM Juniper.

Documents

riaa slide

surface slide

customer data security

agenda security landscape

service continuity federal

vulnerabilities certcc

evolution challenges

evolution layer