Security Products

1
Security Products Research for Campus Networks

• Erik G. Mettala, Ph.D.
• Vice President, Network Associates Laboratories

2
Summary

• Problems with malicious activity are increasing
• Products are available to solve some of the
  problems
• Research must be focused to keep up with and
  eventually get ahead of problems
• Partnership among government, industry, and
  academia is the solution

3
Network Incidents are Increasing
Source CMU Computer Emergency Response Team
4
Application Vulnerabilities are Increasing
Source CMU Computer Emergency Response Team
5

• Machines Infected per Hour at Peak

e
c
t
e
d
Code Red
Nimda
Goner
Slammer
2,777
6,250
12,500
100,000
Malicious Agent
Source McAfee AVERT
6
The Speed Of Attack AcceleratesSlammer Goes
Global In 3 Minutes
7
Companies Are Becoming More Porous, Susceptible
to War Driving

• Web services applications under development by
  98 of large enterprises
• 70 of WiFi networks are not secure
• 50M telecommuters
• 500 million Smart Phones by 2006

8
Network Associates Strategy
9
Product Extensions and New Markets
10
The Network Associates Security Portfolio
Network Associates Complete Threat Protection
System Protection Solutions
Network Protection Solutions

• Anti Virus - McAfee AntiVirus 1 in corporate
  usage, now with online solutions for employee and
  partner usage
• Enterprise Spam McAfee SpamKiller Exchange
  gateway products
• Host Intrusion Prevention McAfee Entercept
  stopped Slammer in production networks
• Policy Enforcement ePO 1 hour global react
  time. Rogue machine under development.

• Network Intrusion Prevention McAfee
  IntruShield blocks at gigabit speeds
• Security Forensics InfiniStream Security
  Forensics high speed collection analysis
• Network Instrumentation - Sniffer Network
  Protection Architecture
• Network and Application Management - nPO Solution

11
Protection Against New Known Attacks
Policy Enforcement Remediation
Forensic Analysis
12
System Protection Solutions
SpamKiller Enterprise
13
McAfee VirusScan - Desktop Server

• Windows NT4.0/XP/2000, Windows Server
  NT4.0/2000/2003 plus Cellera Citrix
• On-Access, On-demand, Scheduled, Memory, Email
  Scanning
• Centralized Management and Graphical Reporting
• ePolicy Orchestrator including 3.0 support
• Sophisticated Automatic Updating
• AutoUpdate via http, ftp, UNC share, local or
  mapped drives
• Incremental DATs, full DATs, engine updates,
  Extra.DATs, service packs, or hot-fixes
• Resumable updating
• Extensive Language Support
• 13 Languages
• Microsoft Multilingual User interface (MUI)
  support

14
McAfee SpamKiller

• Rules-Based Scanning and Scoring, 650 Rules
• 5 protection levels
• Integrity analysis - Examines the header, layout
  and organization of each email message, to
  identify the common characteristics of spam
• Heuristic Detection - Many rules are automated
  based on known spam characteristics
• Content Filtering - Detects keywords and phrases
• Black and White Lists - A Whitelist defines
  acceptable senders of email A Blacklist defines
  unwanted and unacceptable senders of email
• Self Tuning - Adjusts the spam score for senders
  who have been previously accepted senders of
  legitimate email

15
Entercept Host Intrusion Protection

• Host-based intrusion protection software that
  implements
• Signature-based detection
• Anomaly-based detection
• Behavior-based detection

16
Entercept Host Intrusion Protection
17
ePolicy Orchestrator

• Centralized control visibility of malicious
  code defenses

• Deploy maintain updated protection
• Update 50,000 devices in less than one hour
• Distribute weekly/emergency DATS, engines, SPs,
  Hot fixes, Extra.Dats, patches
• Identify and protect new devices and machines
• Configure enforce policies centrally
• Lock down automate your policy
• Customize policy to combat new threats
• Coordinate defenses for blended threats
• Monitor activity with total visibility
• Am I protected? Am I infected?
• View key one page executive summaries
• Track an outbreak to its source
• Initiate and report on viral vulnerability scans

18
McAfee Security AVERT- Anti-Virus Emergency
Response Team

• Leading AV research team w/ 50 years combined
  experience
• Global presence
• 365 days/year, 7 days/week, 24 hours/day!
• Advanced virus analysis and research
• Leading-edge anti-virus services
• Driving scan engine development

19
Network Protection Solutions
Sniffer Wireless
20
IntruVert Network Intrusion Prevention
Industrys first real-time network intrusion
prevention against known, unknown and DoS attacks
21
IntruVert Network Intrusion Prevention
22
IntruShield Next Generation IDS

• Accurate detection and real-time prevention
• Unprecedented Intrusion Intelligence
• Comprehensive integrated protection
• Advanced signature, Anomaly, DoS detection
• Scalability and deployment flexibility
• In-line, Tap, SPAN, Port clustering, High
  Availability
• Delivers Security Return on Investment (ROI)

23
InfiniStream Security Forensics

• Network traffic forensic software based on Traxis
  stream-to-disk technology
• Continuously capture and store network traffic
• Stores up to 2.5 days of traffic at gigabit
  speeds in 2.7 TeraBytes of storage
• Reconstruct, replay, and investigate specific
  events, such as security breaches and network
  slowdowns
• Allows in-depth understanding of the root cause
  of costly problems to prevent them from happening
  again

24
Sniffer Technologies

• Network Instrumentation - Sniffer Network
  Protection Architecture
• Expert Analysis in the Field - Sniffer Portable
• Protocol Analysis in a Single Network Appliance -
  Sniffer Distributed
• Manage wireless LAN 802.11b environments -
  Sniffer Wireless
• Analyze Voice/Data convergence - Sniffer Voice
  Over IP
• Small Business Network Analysis - Sniffer
  Investigator
• Network and Application Management - nPO
  Solution

25
The Intrusion Protection Challenge

• Intrusion Protection technologies are nascent in
  nature
• Intrusion protection is addressing a
  fundamentally hard, if not intractable problem
• Regardless of the difficulty, the need remains
  high
• Requires substantial RD partnership among
  government, industry, and academia

26
Network Associates Laboratories

• Vision
• To be internationally recognized as the leading
  authority in intrusion protection research
• Mission
• To conduct fundamental and applied research and
  to develop prototype applications that provide
  highly accurate, highly automated approaches to
  computer and network security and response

27
Network Associates Labs Organization and Projects
HIP
NIP
SPM
TAVA
HPAF
WIP
MCD
Host Intrusion Protection
Network Intrusion Protection
Security Policy Mgmt
Threats, Attacks, Vulnerabilities Architectures
High Performance Assurance Forensics
Wireless Intrusion Protection
Malicious Code Defense
Trusted BSD SELinux Wrappers SHIM
IDIP/CITRA ANIDR NetBouncer FloodWatch CORBA Java
RMI ITDOS
RBAC TBAC TMAC CBAC ABAC
Metrics
GINSU Sniffer IXP
DoS DDoS Worms Anti-Spam
802.11b
Windows Palm OS WinCE
IDMANET
Spice IDioM
Semantic Processor
Windows Palm OS WinCE
HESSI TWNA Sequoia 3RG
De-Worm SPMA SADD
28
Mapping Labs RGs to BU Strategy
HIP
NIP
WIP
MCD
SPM
HPAF
TAVA
29
Host Intrusion Protection
Current Products
Current Research

• Large Enterprises (gt 2000)
• McAfee VirusScan
• ePolicy Orchestrator
• Entercept IDS
• E-Business Server

• Host-based security and intrusion prevention from
  the operating system out
• Automatic and highly accurate intrusion
• Identification, detection, impact, response,
  forensics, remediation and incident management
• Open source secure operating systems and boot
  loaders
• Trusted BSD (5.0)
• Security Enhanced Linux
• Generic software wrappers
• Secure Windows systems
• X-Windows
• MS Windows
• Secure Middleware programs
• FTP, SMTP, HTTP, CORBA

• Groupshield
• WebShield
• SpamKiller

• Medium Enterprises (251-2000)
• McAfee VirusScan
• ePolicy Orchestrator
• Entercept IDS
• E-Business Server

• Groupshield
• WebShield
• SpamKiller

• Small Business (lt 251)
• McAfee VirusScan
• ePolicy Orchestrator
• Entercept IDS

• Consumers
• McAfee VirusScan
• McAfee SpamKiller
• McAfee Personal Firewall

30
Host Intrusion Protection
BU Research
Government Research

• Operating Systems
• e500 Linux platform security evaluation
• Sniffer re-hosting

• Operating Systems
• Trusted BSD Framework
• Security Enhanced Linux

• Intrusion Protection
• Guaranteed Internet stack utilization (GINSU)
• Generic software wrappers
• System health and intrusion monitoring (SHIM)

• Intrusion Protection
• Response and Remediation

• Security Engineering
• Porting and testing for VirusScan engine OEM
  customers

• Security Engineering
• Commercial OS audit facilities

31
Network Intrusion Protection
Current Products
Current Research

• Large Enterprises (gt 2000)
• Sniffer nPO
• Sniffer Distributed
• Sniffer Portable
• Infinistream Forensics

• Preventing intrusions from entering and
  traversing wired and wireless networks
• Analyzing, interpreting, filtering, and shaping
  network traffic, and
• Rapidly coordinating other defensive actions on
  hosts, gateways, network monitors, management
  components, and specialized security devices
• Components and protocols focused on network
  devices and protocols
• Coordinated intrusion traceback and response
  architectures and protocols for large enterprises
• QoS and intrusion detection/correlation in wired
  and wireless networks, e.g., MANETs
• Mobile-code-based network security components
• DDoS and worm defense
• Protocol interpretation and filtering in
  monitoring devices and security gateways such as
  firewalls, routers, switches, and guards

• NetShield
• e500/e1000
• IntruShield Network IDS

• Medium Enterprises (250-2000)
• Sniffer nPO
• Sniffer Distributed
• Sniffer Portable
• Sniffer Wireless

• NetShield
• e250
• IntruShield Network IDS

• Small Business (lt 250)
• Sniffer Portable
• Sniffer Wireless
• IntruShield Network IDS

• Consumers
• McAfee Personal Firewall

32
Network Intrusion Protection
BU Research
Government Research

• Coordinated Analysis
• End-Host Corroboration IRD

• Coordinated Action
• Intrusion Detection Interface Protocol(IDIP),
  CITRA/IDIP
• Adaptive Network Intrusion Detection Response
  (AN-IDR)
• Intrusion Detection in Mobile Ad Hoc Nets (ID
  MANET)
• Dynamic Quarantine (DQ)

• Network Traffic
• Custom ICA proxy for Gauntlet firewall
• SSL Transparency IRD
• Web Services Security Study IRD
• .NET Monitoring and Filtering IRD

• Network Traffic
• NetBouncer
• DDOS Tolerant Networks (FloodWatch)
• Security and QoS in MANETs (SEQUOIA)
• IIOP Interpreter

• Security Engineering
• Intrusion Blocker for Cable/DSL Routers
• Sniffer SRM Security Study
• ePO vs. SEMS Analysis IRD

• Security Engineering
• DDoS Testbed Study
• OASIS Dem / Val

33
Wireless Intrusion Protection
Current Products
Current Research

• Large Enterprises (gt 2000)
• Sniffer Mobile
• Sniffer Wireless
• Infinistream Forensics

• Research, analyze, study, and develop solutions
  for security issues in emerging wireless
  protocols
• 802.11 Security
• Apply cryptographic technologies to security
  issues in wireless protocols
• Techniques for the physical and link levels
• Ad-hoc wireless security
• Low energy cryptographic techniques
• Low bandwidth cryptographic protocols
• Efficient key management

• VirusScan for PDAs
• VirusScan Mobile
• ePO for Wireless

• Medium Enterprises (250-2000)
• Sniffer Mobile
• Sniffer Wireless
• Infinistream Forensics

• VirusScan for PDAs
• VirusScan Mobile
• ePO for Wireless

• Small Business (lt 250)
• Sniffer Mobile
• Sniffer Wireless
• Infinistream Forensics

• VirusScan for PDAs
• VirusScan Mobile
• ePO for Wireless

• Consumers
• McAfee VirusScan for PDAs

34
Wireless Intrusion Protection
BU Research
Government Research

• Wireless Security
• 2.5G / 3G Wireless Security Study IRD

• Wireless Security
• 802.11 security

• Wireless Mobile Ad-Hoc Networks (MANETs)
• Identity-based Group Key Management
• Message Authentication Streams
• Joint Iterative Decoding and Authentication
• MANET Routing Protocol Security
• Intrusion Detection for MANETs

• Wireless Security Engineering
• Secure Access Point (SAP)

35
Malicious Code Defense
Current Products
Current Research

• Large Enterprises (gt 2000)
• McAfee VirusScan
• ePolicy Orchestrator
• Entercept IDS
• McAfee SpamKiller

• Stop malicious code from damaging computers and
  networks, and maintain system availability while
  under attack
• Research strategy
• Know the attackers methods
• Recognize attacks when they occur
• Prevent or limit the damage from the attacks
• Operate through the attacks
• Put the research to use
• Research areas
• Malware technology and trends
• Formal models of malicious code
• Next-generation malicious code detection
• Zero-day worm detection and containment
• Comprehensive malware scanning
• Intrusion tolerance and self-regeneration
• SPAM detection and blocking
• Source attribution

• Medium Enterprises (250-2000)
• McAfee VirusScan
• ePolicy Orchestrator
• Entercept IDS
• McAfee SpamKiller

• Small Business (lt 250)
• McAfee VirusScan
• ePolicy Orchestrator
• Entercept IDS
• McAfee SpamKiller

• Consumers
• McAfee AntiVirus
• McAfee Personal Firewall
• McAfee SpamKiller

36
Malicious Code Defense
BU Research
Government Research

• Malicious Code Detection Response
• Jigsaw-based Correlation IRD

• Malicious Code Detection Response
• Mission-Aware Rapid Quarantine for Enterprise
  Environments (MARQUEE)
• Malware technology and trends
• Formal models of malicious code

• Malicious Code Engineering
• Secure Protected Development Repository (SPDR)
• State-of-the-Art in Decompilation and Disassembly
  (SADD)

• Anti-Spam
• Steganographic Analysis of Metamorphic Virii
• Advanced Anti-spam Detection Techniques
• Detecting Washing Stego Images

37
Security Policy Management
Current Products
Current Research

• Large Enterprises (gt 2000)
• McAfee ePolicy Orchestrator (ePO)
• Sniffer nPO Manager
• Sniffer nPO Visualizer
• IntruVert Security Manager (ISM)

• Efficient manageable security policy solutions
• Investigate, implement and validate mechanisms
  that support distributed security policy
• Authoring,
• Distribution,
• Enforcement, and
• Management
• Component mechanisms supporting security policy
  and management systems
• Access Control Techniques and Mechanisms
• Policy Definition Languages

• Medium Enterprises (250-2000)
• McAfee ePolicy Orchestrator (ePO)
• Sniffer nPO Manager
• Sniffer nPO Visualizer
• IntruVert Security Manager (ISM)

• Small Business (lt 250)
• McAfee ePolicy Orchestrator (ePO)
• Sniffer nPO Manager
• Sniffer nPO Visualizer
• IntruVert Security Manager (ISM)

• Consumers
• McAfee VirusScan
• McAfee Personal Firewall
• McAfee SpamKiller

38
Security Policy Management
BU Research
Government Research

• Security Policy Management
• Policy Conflict Compromise IRD
• Policy Expansion Propagation IRD

• Security Policy Management
• Security policy configuration and enforcement
  across different platforms and mechanisms
• High-level security policy definition and
  specification

• Access Controls
• Attribute-based Access Control (ABAC)
• Role-based Access Control (RBAC)
• Team-based Access Control (TBAC)
• Coalition-based Access Control (CBAC)

39
High-Performance Assurance Forensics
Current Products
Current Research

• Large Enterprises (gt 2000)
• Sniffer Distributed
• Sniffer Portable
• Infinistream
• Cyprus 6040

• High-performance appliances
• System architecture design and implementation
  trade-offs
• Packet classification, content inspection, and
  semantic processing
• Techniques for improving the speed and accuracy
  of Anti-Virus, Anti-Worm, Anti-Spam, IDS/IPS,
  Sniffer, and network capacity planning and
  management
• Network processors, high-bandwidth wireless
  networks, and storage area nets
• Forensic analysis and situation assessment
• Data mining, data collection, reduction, and
  normalization
• Machine learning algorithms and applications
• Visualization techniques
• Techniques to improve the speed, accuracy and
  understanding of data aggregation, information
  processing and decision-making, and presentation
• Domain-specific application analysis and
  information gathering

• Medium Enterprises (250-2000)
• Sniffer Distributed
• Sniffer Portable
• Infinistream

• Small Business (lt 250)
• Sniffer Distributed
• Sniffer Portable
• Infinistream

• Consumers

40
High-Performance Assurance Forensics
BU Research
Government Research

• High-performance Appliances
• Sniffer IXP
• Stream-to-disk (STD) study IRD

• High-performance Appliances
• NetBouncer
• Active Network Intrusion Detection and Response
  (AN-IDR)
• FloodWatch

• Security Evaluation
• Sniffer 6040 Security Evaluation
• Sniffer Infinistream Security Evaluation

41
Threats, Attacks, Vulnerabilities and
Architectures
Current Products
Current Research

• Large Enterprises (gt 2000)
• McAfee VirusScan, ThreatScan, ePolicy
  Orchestrator, SpamKiller
• Entercept IDS
• Intruvert IntruShield

• Identification and characterization through
  models, taxonomies, patterns, and
  representational tools
• Threats to our security systems including
  hackers, spies, terrorists, vandals, military
  forces, etc.
• Attack mechanisms by which threats target our
  systems, networks, and information infrastructure
  including study of preconditions and dependencies
• System, network, and application vulnerabilities
  by which security objectives are compromised --
  their origin, properties, manifestation in
  software and hardware, and remediation
• Architectural strategies and solutions to counter
  potential security threats
• Both novel and those resulting from the
  integration of current technologies
• Metrics, measurement techniques, and
  probabilistic techniques by which the
  effectiveness of specific security solutions and
  the composition of security solutions may be
  characterized and differentiated

• Medium Enterprises (250-2000)
• McAfee VirusScan, ThreatScan, ePolicy
  Orchestrator, SpamKiller
• Entercept IDS
• Intruvert IntruShield

• Small Business (lt 250)
• McAfee VirusScan, ThreatScan, ePolicy
  Orchestrator, SpamKiller
• Entercept IDS
• Intruvert IntruShield

• Consumers
• McAfee VirusScan, ThreatScan, SpamKiller

42
Threats, Attacks, Vulnerabilities and
Architectures
BU Research
Government Research

• Security Metrics Seedlings
• Metrics for Key Management Systems
• Measuring Assurance in Cyberspace
• Unifying Threat, Attack, Vulnerability
  Taxonomies

• Future Threats
• AVERT
• Network Associates Labs
• Entercept
• InruVert

• Other
• Security Patterns

• Virus Threats
• AVERT

43
Our Customers and Partners
Our customers and partners include Government
agencies, leading technology corporations, and
leading universities
44
Emerging Technology Partnership

• Network Associates Laboratories is seeking
  partners with whom to deploy emerging intrusion
  protection technologies in operational
  environments to support assessment
• We actively seek teaming relationships with
  leading-edge, university-based information
  security researchers

45
Summary

• Problems with malicious activity are increasing
• Products are available to solve some of the
  problems
• Research must be focused to keep up with and
  eventually get ahead of problems
• Partnership among government, industry, and
  academia is the solution

46
Questions?