Title: Security Products
1Security Products Research for Campus Networks
- Erik G. Mettala, Ph.D.
- Vice President, Network Associates Laboratories
2Summary
- Problems with malicious activity are increasing
- Products are available to solve some of the
problems - Research must be focused to keep up with and
eventually get ahead of problems - Partnership among government, industry, and
academia is the solution
3Network Incidents are Increasing
Source CMU Computer Emergency Response Team
4Application Vulnerabilities are Increasing
Source CMU Computer Emergency Response Team
5- Machines Infected per Hour at Peak
e
c
t
e
d
Code Red
Nimda
Goner
Slammer
2,777
6,250
12,500
100,000
Malicious Agent
Source McAfee AVERT
6The Speed Of Attack AcceleratesSlammer Goes
Global In 3 Minutes
7Companies Are Becoming More Porous, Susceptible
to War Driving
- Web services applications under development by
98 of large enterprises - 70 of WiFi networks are not secure
- 50M telecommuters
- 500 million Smart Phones by 2006
8Network Associates Strategy
9Product Extensions and New Markets
10The Network Associates Security Portfolio
Network Associates Complete Threat Protection
System Protection Solutions
Network Protection Solutions
- Anti Virus - McAfee AntiVirus 1 in corporate
usage, now with online solutions for employee and
partner usage - Enterprise Spam McAfee SpamKiller Exchange
gateway products - Host Intrusion Prevention McAfee Entercept
stopped Slammer in production networks - Policy Enforcement ePO 1 hour global react
time. Rogue machine under development.
- Network Intrusion Prevention McAfee
IntruShield blocks at gigabit speeds - Security Forensics InfiniStream Security
Forensics high speed collection analysis - Network Instrumentation - Sniffer Network
Protection Architecture - Network and Application Management - nPO Solution
11Protection Against New Known Attacks
Policy Enforcement Remediation
Forensic Analysis
12System Protection Solutions
SpamKiller Enterprise
13McAfee VirusScan - Desktop Server
- Windows NT4.0/XP/2000, Windows Server
NT4.0/2000/2003 plus Cellera Citrix - On-Access, On-demand, Scheduled, Memory, Email
Scanning - Centralized Management and Graphical Reporting
- ePolicy Orchestrator including 3.0 support
- Sophisticated Automatic Updating
- AutoUpdate via http, ftp, UNC share, local or
mapped drives - Incremental DATs, full DATs, engine updates,
Extra.DATs, service packs, or hot-fixes - Resumable updating
- Extensive Language Support
- 13 Languages
- Microsoft Multilingual User interface (MUI)
support
14McAfee SpamKiller
- Rules-Based Scanning and Scoring, 650 Rules
- 5 protection levels
- Integrity analysis - Examines the header, layout
and organization of each email message, to
identify the common characteristics of spam - Heuristic Detection - Many rules are automated
based on known spam characteristics - Content Filtering - Detects keywords and phrases
- Black and White Lists - A Whitelist defines
acceptable senders of email A Blacklist defines
unwanted and unacceptable senders of email - Self Tuning - Adjusts the spam score for senders
who have been previously accepted senders of
legitimate email
15Entercept Host Intrusion Protection
- Host-based intrusion protection software that
implements - Signature-based detection
- Anomaly-based detection
- Behavior-based detection
16Entercept Host Intrusion Protection
17ePolicy Orchestrator
- Centralized control visibility of malicious
code defenses
- Deploy maintain updated protection
- Update 50,000 devices in less than one hour
- Distribute weekly/emergency DATS, engines, SPs,
Hot fixes, Extra.Dats, patches - Identify and protect new devices and machines
- Configure enforce policies centrally
- Lock down automate your policy
- Customize policy to combat new threats
- Coordinate defenses for blended threats
- Monitor activity with total visibility
- Am I protected? Am I infected?
- View key one page executive summaries
- Track an outbreak to its source
- Initiate and report on viral vulnerability scans
18McAfee Security AVERT- Anti-Virus Emergency
Response Team
- Leading AV research team w/ 50 years combined
experience - Global presence
- 365 days/year, 7 days/week, 24 hours/day!
- Advanced virus analysis and research
- Leading-edge anti-virus services
- Driving scan engine development
19Network Protection Solutions
Sniffer Wireless
20IntruVert Network Intrusion Prevention
Industrys first real-time network intrusion
prevention against known, unknown and DoS attacks
21IntruVert Network Intrusion Prevention
22IntruShield Next Generation IDS
- Accurate detection and real-time prevention
- Unprecedented Intrusion Intelligence
- Comprehensive integrated protection
- Advanced signature, Anomaly, DoS detection
- Scalability and deployment flexibility
- In-line, Tap, SPAN, Port clustering, High
Availability - Delivers Security Return on Investment (ROI)
23InfiniStream Security Forensics
- Network traffic forensic software based on Traxis
stream-to-disk technology - Continuously capture and store network traffic
- Stores up to 2.5 days of traffic at gigabit
speeds in 2.7 TeraBytes of storage - Reconstruct, replay, and investigate specific
events, such as security breaches and network
slowdowns - Allows in-depth understanding of the root cause
of costly problems to prevent them from happening
again
24Sniffer Technologies
- Network Instrumentation - Sniffer Network
Protection Architecture - Expert Analysis in the Field - Sniffer Portable
- Protocol Analysis in a Single Network Appliance -
Sniffer Distributed - Manage wireless LAN 802.11b environments -
Sniffer Wireless - Analyze Voice/Data convergence - Sniffer Voice
Over IP - Small Business Network Analysis - Sniffer
Investigator - Network and Application Management - nPO
Solution
25The Intrusion Protection Challenge
- Intrusion Protection technologies are nascent in
nature - Intrusion protection is addressing a
fundamentally hard, if not intractable problem - Regardless of the difficulty, the need remains
high - Requires substantial RD partnership among
government, industry, and academia
26Network Associates Laboratories
- Vision
- To be internationally recognized as the leading
authority in intrusion protection research - Mission
- To conduct fundamental and applied research and
to develop prototype applications that provide
highly accurate, highly automated approaches to
computer and network security and response
27Network Associates Labs Organization and Projects
HIP
NIP
SPM
TAVA
HPAF
WIP
MCD
Host Intrusion Protection
Network Intrusion Protection
Security Policy Mgmt
Threats, Attacks, Vulnerabilities Architectures
High Performance Assurance Forensics
Wireless Intrusion Protection
Malicious Code Defense
Trusted BSD SELinux Wrappers SHIM
IDIP/CITRA ANIDR NetBouncer FloodWatch CORBA Java
RMI ITDOS
RBAC TBAC TMAC CBAC ABAC
Metrics
GINSU Sniffer IXP
DoS DDoS Worms Anti-Spam
802.11b
Windows Palm OS WinCE
IDMANET
Spice IDioM
Semantic Processor
Windows Palm OS WinCE
HESSI TWNA Sequoia 3RG
De-Worm SPMA SADD
28Mapping Labs RGs to BU Strategy
HIP
NIP
WIP
MCD
SPM
HPAF
TAVA
29Host Intrusion Protection
Current Products
Current Research
- Large Enterprises (gt 2000)
- McAfee VirusScan
- ePolicy Orchestrator
- Entercept IDS
- E-Business Server
- Host-based security and intrusion prevention from
the operating system out - Automatic and highly accurate intrusion
- Identification, detection, impact, response,
forensics, remediation and incident management - Open source secure operating systems and boot
loaders - Trusted BSD (5.0)
- Security Enhanced Linux
- Generic software wrappers
- Secure Windows systems
- X-Windows
- MS Windows
- Secure Middleware programs
- FTP, SMTP, HTTP, CORBA
- Groupshield
- WebShield
- SpamKiller
- Medium Enterprises (251-2000)
- McAfee VirusScan
- ePolicy Orchestrator
- Entercept IDS
- E-Business Server
- Groupshield
- WebShield
- SpamKiller
- Small Business (lt 251)
- McAfee VirusScan
- ePolicy Orchestrator
- Entercept IDS
- Consumers
- McAfee VirusScan
- McAfee SpamKiller
- McAfee Personal Firewall
30Host Intrusion Protection
BU Research
Government Research
- Operating Systems
- e500 Linux platform security evaluation
- Sniffer re-hosting
- Operating Systems
- Trusted BSD Framework
- Security Enhanced Linux
- Intrusion Protection
- Guaranteed Internet stack utilization (GINSU)
- Generic software wrappers
- System health and intrusion monitoring (SHIM)
- Intrusion Protection
- Response and Remediation
- Security Engineering
- Porting and testing for VirusScan engine OEM
customers
- Security Engineering
- Commercial OS audit facilities
31Network Intrusion Protection
Current Products
Current Research
- Large Enterprises (gt 2000)
- Sniffer nPO
- Sniffer Distributed
- Sniffer Portable
- Infinistream Forensics
- Preventing intrusions from entering and
traversing wired and wireless networks - Analyzing, interpreting, filtering, and shaping
network traffic, and - Rapidly coordinating other defensive actions on
hosts, gateways, network monitors, management
components, and specialized security devices - Components and protocols focused on network
devices and protocols - Coordinated intrusion traceback and response
architectures and protocols for large enterprises - QoS and intrusion detection/correlation in wired
and wireless networks, e.g., MANETs - Mobile-code-based network security components
- DDoS and worm defense
- Protocol interpretation and filtering in
monitoring devices and security gateways such as
firewalls, routers, switches, and guards
- NetShield
- e500/e1000
- IntruShield Network IDS
- Medium Enterprises (250-2000)
- Sniffer nPO
- Sniffer Distributed
- Sniffer Portable
- Sniffer Wireless
- NetShield
- e250
- IntruShield Network IDS
- Small Business (lt 250)
- Sniffer Portable
- Sniffer Wireless
- IntruShield Network IDS
- Consumers
- McAfee Personal Firewall
32Network Intrusion Protection
BU Research
Government Research
- Coordinated Analysis
- End-Host Corroboration IRD
- Coordinated Action
- Intrusion Detection Interface Protocol(IDIP),
CITRA/IDIP - Adaptive Network Intrusion Detection Response
(AN-IDR) - Intrusion Detection in Mobile Ad Hoc Nets (ID
MANET) - Dynamic Quarantine (DQ)
- Network Traffic
- Custom ICA proxy for Gauntlet firewall
- SSL Transparency IRD
- Web Services Security Study IRD
- .NET Monitoring and Filtering IRD
- Network Traffic
- NetBouncer
- DDOS Tolerant Networks (FloodWatch)
- Security and QoS in MANETs (SEQUOIA)
- IIOP Interpreter
- Security Engineering
- Intrusion Blocker for Cable/DSL Routers
- Sniffer SRM Security Study
- ePO vs. SEMS Analysis IRD
- Security Engineering
- DDoS Testbed Study
- OASIS Dem / Val
33Wireless Intrusion Protection
Current Products
Current Research
- Large Enterprises (gt 2000)
- Sniffer Mobile
- Sniffer Wireless
- Infinistream Forensics
- Research, analyze, study, and develop solutions
for security issues in emerging wireless
protocols - 802.11 Security
- Apply cryptographic technologies to security
issues in wireless protocols - Techniques for the physical and link levels
- Ad-hoc wireless security
- Low energy cryptographic techniques
- Low bandwidth cryptographic protocols
- Efficient key management
- VirusScan for PDAs
- VirusScan Mobile
- ePO for Wireless
- Medium Enterprises (250-2000)
- Sniffer Mobile
- Sniffer Wireless
- Infinistream Forensics
- VirusScan for PDAs
- VirusScan Mobile
- ePO for Wireless
- Small Business (lt 250)
- Sniffer Mobile
- Sniffer Wireless
- Infinistream Forensics
- VirusScan for PDAs
- VirusScan Mobile
- ePO for Wireless
- Consumers
- McAfee VirusScan for PDAs
34Wireless Intrusion Protection
BU Research
Government Research
- Wireless Security
- 2.5G / 3G Wireless Security Study IRD
- Wireless Security
- 802.11 security
- Wireless Mobile Ad-Hoc Networks (MANETs)
- Identity-based Group Key Management
- Message Authentication Streams
- Joint Iterative Decoding and Authentication
- MANET Routing Protocol Security
- Intrusion Detection for MANETs
- Wireless Security Engineering
- Secure Access Point (SAP)
35Malicious Code Defense
Current Products
Current Research
- Large Enterprises (gt 2000)
- McAfee VirusScan
- ePolicy Orchestrator
- Entercept IDS
- McAfee SpamKiller
- Stop malicious code from damaging computers and
networks, and maintain system availability while
under attack - Research strategy
- Know the attackers methods
- Recognize attacks when they occur
- Prevent or limit the damage from the attacks
- Operate through the attacks
- Put the research to use
- Research areas
- Malware technology and trends
- Formal models of malicious code
- Next-generation malicious code detection
- Zero-day worm detection and containment
- Comprehensive malware scanning
- Intrusion tolerance and self-regeneration
- SPAM detection and blocking
- Source attribution
- Medium Enterprises (250-2000)
- McAfee VirusScan
- ePolicy Orchestrator
- Entercept IDS
- McAfee SpamKiller
- Small Business (lt 250)
- McAfee VirusScan
- ePolicy Orchestrator
- Entercept IDS
- McAfee SpamKiller
- Consumers
- McAfee AntiVirus
- McAfee Personal Firewall
- McAfee SpamKiller
36Malicious Code Defense
BU Research
Government Research
- Malicious Code Detection Response
- Jigsaw-based Correlation IRD
- Malicious Code Detection Response
- Mission-Aware Rapid Quarantine for Enterprise
Environments (MARQUEE) - Malware technology and trends
- Formal models of malicious code
- Malicious Code Engineering
- Secure Protected Development Repository (SPDR)
- State-of-the-Art in Decompilation and Disassembly
(SADD)
- Anti-Spam
- Steganographic Analysis of Metamorphic Virii
- Advanced Anti-spam Detection Techniques
- Detecting Washing Stego Images
37Security Policy Management
Current Products
Current Research
- Large Enterprises (gt 2000)
- McAfee ePolicy Orchestrator (ePO)
- Sniffer nPO Manager
- Sniffer nPO Visualizer
- IntruVert Security Manager (ISM)
- Efficient manageable security policy solutions
- Investigate, implement and validate mechanisms
that support distributed security policy - Authoring,
- Distribution,
- Enforcement, and
- Management
- Component mechanisms supporting security policy
and management systems - Access Control Techniques and Mechanisms
- Policy Definition Languages
- Medium Enterprises (250-2000)
- McAfee ePolicy Orchestrator (ePO)
- Sniffer nPO Manager
- Sniffer nPO Visualizer
- IntruVert Security Manager (ISM)
- Small Business (lt 250)
- McAfee ePolicy Orchestrator (ePO)
- Sniffer nPO Manager
- Sniffer nPO Visualizer
- IntruVert Security Manager (ISM)
- Consumers
- McAfee VirusScan
- McAfee Personal Firewall
- McAfee SpamKiller
38Security Policy Management
BU Research
Government Research
- Security Policy Management
- Policy Conflict Compromise IRD
- Policy Expansion Propagation IRD
- Security Policy Management
- Security policy configuration and enforcement
across different platforms and mechanisms - High-level security policy definition and
specification
- Access Controls
- Attribute-based Access Control (ABAC)
- Role-based Access Control (RBAC)
- Team-based Access Control (TBAC)
- Coalition-based Access Control (CBAC)
39High-Performance Assurance Forensics
Current Products
Current Research
- Large Enterprises (gt 2000)
- Sniffer Distributed
- Sniffer Portable
- Infinistream
- Cyprus 6040
- High-performance appliances
- System architecture design and implementation
trade-offs - Packet classification, content inspection, and
semantic processing - Techniques for improving the speed and accuracy
of Anti-Virus, Anti-Worm, Anti-Spam, IDS/IPS,
Sniffer, and network capacity planning and
management - Network processors, high-bandwidth wireless
networks, and storage area nets - Forensic analysis and situation assessment
- Data mining, data collection, reduction, and
normalization - Machine learning algorithms and applications
- Visualization techniques
- Techniques to improve the speed, accuracy and
understanding of data aggregation, information
processing and decision-making, and presentation - Domain-specific application analysis and
information gathering
- Medium Enterprises (250-2000)
- Sniffer Distributed
- Sniffer Portable
- Infinistream
- Small Business (lt 250)
- Sniffer Distributed
- Sniffer Portable
- Infinistream
40High-Performance Assurance Forensics
BU Research
Government Research
- High-performance Appliances
- Sniffer IXP
- Stream-to-disk (STD) study IRD
- High-performance Appliances
- NetBouncer
- Active Network Intrusion Detection and Response
(AN-IDR) - FloodWatch
- Security Evaluation
- Sniffer 6040 Security Evaluation
- Sniffer Infinistream Security Evaluation
41Threats, Attacks, Vulnerabilities and
Architectures
Current Products
Current Research
- Large Enterprises (gt 2000)
- McAfee VirusScan, ThreatScan, ePolicy
Orchestrator, SpamKiller - Entercept IDS
- Intruvert IntruShield
- Identification and characterization through
models, taxonomies, patterns, and
representational tools - Threats to our security systems including
hackers, spies, terrorists, vandals, military
forces, etc. - Attack mechanisms by which threats target our
systems, networks, and information infrastructure
including study of preconditions and dependencies - System, network, and application vulnerabilities
by which security objectives are compromised --
their origin, properties, manifestation in
software and hardware, and remediation - Architectural strategies and solutions to counter
potential security threats - Both novel and those resulting from the
integration of current technologies - Metrics, measurement techniques, and
probabilistic techniques by which the
effectiveness of specific security solutions and
the composition of security solutions may be
characterized and differentiated
- Medium Enterprises (250-2000)
- McAfee VirusScan, ThreatScan, ePolicy
Orchestrator, SpamKiller - Entercept IDS
- Intruvert IntruShield
- Small Business (lt 250)
- McAfee VirusScan, ThreatScan, ePolicy
Orchestrator, SpamKiller - Entercept IDS
- Intruvert IntruShield
- Consumers
- McAfee VirusScan, ThreatScan, SpamKiller
42Threats, Attacks, Vulnerabilities and
Architectures
BU Research
Government Research
- Security Metrics Seedlings
- Metrics for Key Management Systems
- Measuring Assurance in Cyberspace
- Unifying Threat, Attack, Vulnerability
Taxonomies
- Future Threats
- AVERT
- Network Associates Labs
- Entercept
- InruVert
43Our Customers and Partners
Our customers and partners include Government
agencies, leading technology corporations, and
leading universities
44Emerging Technology Partnership
- Network Associates Laboratories is seeking
partners with whom to deploy emerging intrusion
protection technologies in operational
environments to support assessment - We actively seek teaming relationships with
leading-edge, university-based information
security researchers
45Summary
- Problems with malicious activity are increasing
- Products are available to solve some of the
problems - Research must be focused to keep up with and
eventually get ahead of problems - Partnership among government, industry, and
academia is the solution
46Questions?