IT-Symposium 2005 www.decus.de 1 © 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. More Security for the LAN: Introducing Network Integrated Virus Throttling (3E07) Jens-H. Egger Technical Consultant 2 Viruses – a chronology 10 years ago…”sneaker net” floppy disc attacks 5 years ago…viruses that required some type of human interaction to spread (open an attachment, etc.) Today…worms are the ever more prevalent type of virus – no human interaction needed – computational speed spread
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IT-Symposium 2005
www.decus.de 1
© 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
More Security for the LAN:Introducing Network Integrated Virus Throttling(3E07)
Jens-H. Egger
Technical Consultant
2
Viruses – a chronology
10 years ago…”sneaker net” floppy disc attacks
5 years ago…viruses that required some type of human interaction to spread (open an attachment, etc.)
Today…worms are the ever more prevalent type of virus – no human interaction needed – computational speed spread
IT-Symposium 2005
www.decus.de 2
3
Virus typesWorm – infects a system and attempts to infiltrate as many connected systems as possible in the shortest amount of time with no humaninteraction required
Trojan horse – a program that is disguised as something benign which generally needs some sort of human interaction to “open” and can do any number of malicious acts such as erasing data, allowing hijacking of system, etc.
Macro virus – type of computer virus that is encoded as a macro embedded in a document – again requires human interaction to open / launch the virus activity
Key logger – virus type is embedded in another type of virus (trojan horse, macro virus, other) that records and transmits all user key strokes back to the virus author
Email virus – virus transmitted via common email programs as an attachment or embedded file that generally needs to be opened to be launched and can then spread to anyone in the users email contact list
4
ProCurve 5300xl Software Release 3
The Virus Problem …
Anti-virus software (client-based) works by preventing infection
• Works well but can’t detect “day zero” threats
Day zero, a worm-type virus, can spread very rapidly and cause lots of damage
• Many infected machines• Clogged networks
Examples• SQLSlammer• Sasser
05:29 Jan 25 – 0 infected
06:00 Jan 25 – 74855 infected
Content embargoed until Feb 11, 2005
IT-Symposium 2005
www.decus.de 3
5
Security Matters
Network Implication
The customer requires a network that is resilient and available even when under attack
Network must defend against unknown attacks to prevent network downtime, avoiding costly lost productivity and business function failure
Key Business Issue
6
Top Security Concerns
12% 13%
38%
76%
42%
4%6%
2%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Regulato ry/Co m plianceIssues
SP A M P reventio n P revent Hackers Virus P ro tec t io n P ro tec tsens itive/co nfident ial data
Sim plify rem o te access todata
Fear o f lit igat io n OtherRegulatory/ Compliance
Issues
Prevent Hackers
Virus Protection
Protect sensitive/
confidential data
Simplify remote
access to data
Fear of litigation
OtherSpam Prevention
Source: hp SMB Solutions Initiative Customer Survey – UK Channel Partner Summary, March 2004
Virus Protection
Data Protection
Hacker Prevention
SPAM Prevention
Regulatory Issues
IT-Symposium 2005
www.decus.de 4
7
Viruses – the costs
Virus/worm costs:
―2001: CodeRed worm averaged $2.6 billion in productivity loss
―2002: Klez virus averaged $9.0 billion in productivity loss
―2003: SQL Slammer worm estimates were $950 million and $1.2 billion in lost productivity in its first five days worldwide
―2004: Sasser virus costs estimated at $500M (as of May and *still* counting)
Estimated costs per virus/worm incident according to Corporate IT Forum (a UK organization) as of May 2004 --$236k per company in man hours and related costs
―Previous estimates were much lower per company/incident―Growing at exponential rates
8
Access security -- Attacks from “within”
1 out of every 3 damaging network attacks comes from a person who has a legitimate reason to access at least some part of the corporate LAN
Of those prosecuted under the Economic Espionage Act of 2002, 4 out of 5 defendants were “insiders” -- current or former employees
In a default state – a network port is “open”
Access for all guests or access for none
Administrators need more tools to set specific protections on all parts of their network
IT-Symposium 2005
www.decus.de 5
9
A powerful solution to one of the most pressing problems for CIOs and Network Administrators around the world:
More Protection, Detection and Response with Network Integrated Virus Throttling
More Security Across the LAN: Feb 11, 2005 Announcement
10
The ProCurve Adaptive EDGE Architecture
Security Cycle
Prevent/Protect
DetectRespond
Before asecuritybreach
During asecuritybreach
Mitigate asecuritybreach
CftC
IT-Symposium 2005
www.decus.de 6
11
Virus Throttling explained
Virus throttling is unique to ProCurve
Virus throttling is like a powerful medicine that minimizes the worst symptoms of a cold or flu - without eradicating the virus causing the illness
Virus throttling “puts the virus back into a box”, but the network administrator eventually has to go back and shoot the virus and put it out of its misery
12
No Virus Throttling
The demo begins without virus throttling and illustrates the normal propagation of the virus
• Client A is initially infected, clients B, C etc. are clean
• Observe that client A is generating traffic to random IP addresses
• Quickly, clients B and C become infected, and also start sending to random IP addresses
Telnet session to switch
Client A
Client CClient B
IT-Symposium 2005
www.decus.de 7
13
Virus Throttling Enabled
Virus Throttling is enabled via the Web Console
• Client A is initially infected, clients B and C are clean
• Observe that client A is generating traffic to random IP addresses
• Clients B & C are not infected, because the traffic from client A is throttled
• The console shows the port connected to client A has been throttled, while ports for clients B & C are open
Telnet session to switch
Client A
Client CClient B
14
Security is Prevent, Detect and Respond
• Attacks/problems occur at machine speed
• Response is at human speed
• In the meantime, computers are defenseless…– so attacks expand quickly until the response is
implemented
• Economic balance trades cost of prevention/response with risk
• As systems get bigger and more complex, the problem gets bigger
IT-Symposium 2005
www.decus.de 8
15
A solution: Resilient infrastructure
• Buys time!
• Automatically hampers, contains, and mitigatesattacks/problems before a more definite (human) response
• Complement and aid to existing approaches– People -- good at decisions but slow– Computers – can’t make decisions but fast
16
For viruses…
• Prevention:– Patching machines, using virus signatures
• Response:– Crisis teams
• Resilient infrastructure:– Virus throttling– Prevent the virus spreading further from an infected
machine
• Machine will still be infected but– The overall spread of the virus will be slowed– There will be less traffic as it spreads
IT-Symposium 2005
www.decus.de 9
17
For Virus Throttling – we target the virus behavior…• For a worm virus to spread from an infected machine, it
needs to contact different new machines– They tend to contact different machines quickly:
i.e. SQLSlammer tries to infect >800 machines per second
• The normal behavior of an uninfected machine is to:– make connections to the same machines repeatedly– make connections at a much lower rate; typically one
connection per second
• Solution:– Implement a rate-limiter on interactions with different
machines
18
Solution: Virus throttling in an L3 environmentAs a worm virus attempts to spread, the 5300xl detects
the activity and automatically either:
• Throttles traffic from these nodes at the routed VLAN boundary– Greatly slowing the virus spread– Allowing time to react without bringing the network down
– or –
• Prevents all traffic from infected client from being routed to other parts of the network– Stopping virus spread, but additionally preventing all
traffic from infected client to be routed to the rest of the network
IT-Symposium 2005
www.decus.de 10
19
5300xl virus throttling caveat
Throttling automatically occurs only for traffic across routed VLANs• Routing is required, no automatic affect in pure L2
environments• Other nodes on the VLAN with the infected client are still at
risk– Traffic from infected clients continues to be forwarded in
the L2 environment–BUT
– The network manager is notified of virus activity and can take steps through PCM to find and shut down the switch port where the virus is entering the network.
20
Solution: Virus throttling in an L2 environmentIf you are running PCM 1.6 or later
― PCM gets the trap from the 5300 identifying the IP address of the infected client
Net Mgr can then:– Use PCM to find the switch port associated with this IP
address– Shut down the switch port preventing the virus from
entering the network at L2 as well.– Net Mgr can now deal with just the client, not the rest of
the network
IT-Symposium 2005
www.decus.de 11
21
Virus throttling in an L2 environment
1. 5300 detects virus activity
2. Alerts PCM with IP addr and MAC addr of infected client
X
Traffic blocked3. Net Manager alerted
4. Manager uses ‘Find Switch Port’ utility to locate client switch port
5. Manager shuts down that switch port
Virus
PCM
22
Advantages to virus throttling
• Works without knowing anything about the virus– Handles unknown viruses– Needs no signature updates
• Protects network infrastructure– Network and switches will stay up and running, even when under
attack
• Notification– When a host is throttled, a SNMP trap and log event is generated– IT staff has time to react, before the problem escalates to a crisis
IT-Symposium 2005
www.decus.de 12
23
ProCurve 5300xl Software Release 3
Network Integrated Virus Throttling
Virus Throttling (worm containment) is built in, not bolted on for a more resilient network infrastructure with no client software required
Detection based only on the network behavior of the virus protectingagainst new and unidentified threats – day zero
Prevents the spread of the virus in machine time – throttles the traffic at the source
Provides event log and SNMP trap warnings to ProCurve Manager Plus to alert IT, allowing initiation of long-term actions
Available as a free update, it is easy to deploy widely, making it difficult for viruses to spread at all
Invented and patented at HP Labs and implemented within the 5300xl by ProCurve Networking as a element of our overall security portfolio
Content embargoed until Feb 11, 2005
24
Related Documents
