Unified Threat Management

1
Unified Threat Management

• Peter Theobald
• CEO, IT Secure
• Presentation at
• Sys Admin Workshop, IIT Kanpur
• Oct 21, 2005

2
IIT Kanpur Sys Admin Workshop Quiz

• When is Sys Admin Appreciation Day?

3
(No Transcript)
4
(No Transcript)
5
Sys Admins have a tough enough job already..

• What about Security threats?
• How serious are they?
• What is the most effective and cost efficient way
  to handle them?

6
Current Trends

• Speed sophistication of cyber-attacks is
  dramatically increasing
• Blended threats, hybrid attacks and automated
  tools have become popular and getting them is
  easy
• Critical infrastructure is dependant on Internet,
  and threats are progressively more unpredictable
• Security problems cost time, money and pain

7
Auto Coordinated
Attack Sophistication vs.Intruder Technical
Knowledge
Tools
Cross site scripting
stealth / advanced scanning techniques
High
Staged
packet spoofing
denial of service
distributed attack tools
sniffers
Intruder Knowledge
sweepers
www attacks
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking sessions
burglaries
Attack Sophistication
exploiting known vulnerabilities
password cracking
self-replicating code
password guessing
Low
2004
1980
1985
1990
1995
8
Vulnerability in Software

• 99 of intrusions result from exploitation of
  known vulnerabilities
• Source 2001 CERT, Carnegie Mellon
  University
• Cause Software vulnerabilities are caused by
  programming of source code without proper checks
  and buffer handling
• Threat Facilitated by not applying patches to
  vulnerable machines, and having those machines
  exposed on the network to outside threats
• The recent Slammer Worm exploited a SQL
  vulnerability for which a patch had been
  available since July, 2002

9
E-mail Viruses

• E-mail has become the primary means for
  distributing threats
• Trojans are easy to deliver and install
• HTML viruses (no user intervention) with webmail
• E-mails with attachments containing
• Macros, VB scripts, java scripts and html scripts

Corp Network
10
File Based Threats

• Example Internet download
• Viruses and malicious code infection
• Peer to Peer
• Instant Messaging apps
• Shareware sites
• Compromised servers
• Legitimate corporations
• Web based email
• Threats pass through stateful packet inspection
  firewalls
• Once inside the network, others are easily
  affected

File Server
Corp Network
Request Download
11
File Based Threats

• Example Netbios file transfers
• Viruses can be uploaded to network drives
• Once on the network drive users can be affected
• Nimda was a virus that attacked file servers and
  opened up a hole to allow a hacker to obtain
  control of the server

Corp Network
File Server
12
Application Attacks

• Unpatched Servers Scob
• Servers do not get up to date patches
• Attacker sends malicious code through a buffer
  overflow
• Executes program instructions to the victims
  computer for execution
• Can also be used as denial-of-service attack,
  causing the computer to crash
• Server is infected
• New users who access server get infected

Malicious Hacker
Access
Access
Access
13
Software Development Mistakes
Double Free
Access Validation
Unknown
Error
Format String
Integer Overflow
6
2
3
Boundary Condition
Input Validation
Error
Error
Configuration Error
Others
Buffer Overflows
Failure to Handle
Exceptional
Design Error
Conditions

• CERT Advisories

Security Focus
14
A Complete Attack MyTob
15
MyTob Worm

• Discovered on February 26, 2005
• W32.Mytob._at_mm is a mass-mailing worm that
  propagates via network shares and through email
• Uses its own SMTP engine to send an email to
  local email addresses
• Exploits the Microsoft Windows LSASS Remote
  Buffer Overflow and RPC/DCom
• Opens a back door into the affected computer
• Self protects by redirecting AV updates to local
  computer

16
Step 1 Arrives as an email or buffer overflow

• Copies itself as System\msnmsgs.exe
• Adds the value MSN msnmsgs.exe to
  registryHKEY_LOCAL_MACHINE\Software\Microsoft\W
  indows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Softw
  are\Microsoft\Windows\CurrentVersion\RunServices
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre
  ntVersion\RunHKEY_CURRENT_USER\Software\Microsoft
  \OLEHKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Co
  ntrol\Lsa
• W32.Mytob_at_mm runs every time Windows starts

Server Zone
User Zone
17
(No Transcript)
18
Step 2 Loads itself into memory

• Since the exe is now in start up, msnmsgs.exe
  is loaded into memory
• HELLBOT by Diablo is clearly advertised to show
  who wrote the program

Server Zone
User Zone
19
Step 3 Logs in to an IRC channel

• Connects to an IRC channel on the
  irc.blackcarder.net domain on TCP port 6667
• Advertises host PC IP address
• listens for commands that allow the remote
  attacker to perform the following actions
• Download files
• Execute files
• Delete files
• Update itself
• Get uptime information

IRC Server
IDP
IDP
Server Zone
User Zone
20
Step 4 Generate potential targets and attack

• Generates random IP addresses
• Exploits the RPC/DCOM vulnerability
• Allows the program to gain full access and
  execute any code on a target machine by sending a
  malformed packet to the DCOM service
• Exploits the Windows LSASS vulnerability
• This is a buffer overflow that allows remote code
  execution and enables a malicious user to gain
  full control of the affected system

Server Zone
User Zone
21
Step 5 Use its own SMTP server to send itself

• Searches for email addresses on local computer
• .wab
• .adb
• .tbb
• .dbx
• From SpoofedSubject
• hello
• hi
• error
• status

• .asp
• php
• .sht
• .htm

• Mail Transaction Failed
• Mail Delivery System
• SERVER REPORT
• (No Subject)
• (random alphabets)

Server Zone
User Zone
22
Understanding Spyware
23
What is Spyware/Adware?

• Spyware is any software that utilizes a
  computers Internet access without the hosts
  knowledge or explicit permission
• According to certain experts, approximately 90
  of computers have some form of Spyware
• Aids in gathering information
• Browsing habits (sites visited, links clicked,
  etc.)
• Data entered into forms (including account names,
  passwords, text of Web forms and Web-based email,
  etc.)
• Key stokes and work habits

24
Spyware Infection

• A - Downloading programs
• Kazaa / screensavers / windows utilities
• Download managers / file sharing sw / demo
  software
• B - Trojans that are delivered or downloaded in
  e-mail
• C - In free, banner ad-based software - Popups
• D - The most notorious enabler of Spyware is
  Microsofts ActiveX module

A
B
Random IPs
C/D
Server Zone
User Zone
25
Todays Aging Technology

• Stateful Packet Inspection (SPI) is limited
  protection
• Provides source / destination / state
  intelligence
• Provides network address translation
• Stateful firewalls cannot protect against threats
  that are application layer based, file or email
  based

26
Firewall Technology

• Typical firewalls are effective for port blocking
• If a port is open it is assumed any data can pass
• Intrusion detection is a reactive approach that
  does not actively protect
• Security must be built upon deep packet
  inspection, AV/Spy/Intrusion prevention with
  dynamic updates

Server Zone
User Zone
27
The New Standard - UTM

• Unified Threat Management
• Integration of Firewall
• Deep Packet Inspection
• Intrusion Prevention for blocking network threats
• Anti-Virus for blocking file based threats
• Anti-Spyware for blocking Spyware
• Faster updates to the dynamic changing threat
  environment and elimination of False Positives

28
Deep Packet Inspection- Unified Threat Mmt
Zone based security Protect
internally Gateway Anti-Virus Scan through
unlimited files sizes Scan through unlimited
connections Scan over more protocols than any
similar solution Anti-Spyware for protection
against malicious programs Blocks the
installation of spyware Blocks Spyware that is
emailed and sent internally Applications Layer
Threat Protection Full protection from Trojan,
worm, blended and polymorphic threats

• Full L2-7 signature- based inspection
• Application awareness

PRO Series as a Prevention Solution
SonicWALL IPS/GAV Dynamic Updates
DPI
DPI
DPI
DPI Intrusion Prevention /Gateway AV/ Anti-Spy
Server Zone
User Zone
Dept Zone
29
Technology Behind the Scenes
30
Hidden threats
Typical User Activity
Typical Network Traffic Email
Our World View
Firewall View
Network communication, like email, file transfers
and web sessions are packetized
Traffic multiple packets of information
One Packet Header info and Data
Firewall Traffic Path
31
Stateful Packet Inspection




Source 212.56.32.49
Destination 65.26.42.17
Stateful is limited inspection that can only
block on ports No Data Inspection!
Source Port 823747
Dest Port 80
Sequence 2821
Sequence 28474
IP Option none
Syn state SYN
Stateful PacketInspection
Firewall Traffic Path
32
Deep Packet Inspection
Deep Packet Inspection inspects all traffic
moving through a device
Stateful PacketInspection
Deep PacketInspection
Firewall Traffic Path
33
Deep Packet Inspection / Prevention
Signature Database
Comparing
ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS
33DNS 19DOS 18EXPLOIT gt35FINGER 13FTP 50ICMP
115Instant Messenger 25IMAP 16INFO
7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA
6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY
21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP
23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS
47WEB-CGI 312WEB-CLIENT




Application Attack, Worm or Trojan Found!
Deep Packet Inspection with Intrusion Prevention
can find and block, application vulnerabilities,
worms or Trojans.
Stateful PacketInspection
Deep PacketInspection
Firewall Traffic Path
34
Gateway Anti-Virus and Content Control
Signature Database
ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS
33DNS 19DOS 18EXPLOIT gt35FINGER 13FTP 50ICMP
115Instant Messenger 25IMAP 16INFO
7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA
6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY
21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP
23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS
47WEB-CGI 312WEB-CLIENT
Virus File!
AuctionSite
Stateful PacketInspection
Deep PacketInspection
Firewall Traffic Path
35
Security Must Be Updated
Signature Database
ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS
33DNS 19DOS 18EXPLOIT gt35FINGER 13FTP 50ICMP
115Instant Messenger 25IMAP 16INFO
7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA
6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY
21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP
23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS
47WEB-CGI 312WEB-CLIENT
AV Database IPS Database Spy Database
Content Filtering Database
Content Inspection
Stateful PacketInspection
Anti-Virus
Content Filtering Service
Deep PacketInspection
Gateway Anti-Virus Anti-Spyware
Firewall Traffic Path
36
SonicWALL Solutions
37
Value Innovation Philosophy

• Affordable
• Total Cost of Ownership
• Simple
• Easy to Install, Use Manage
• Powerful
• Deep Dynamic Distributed

38
Unified Threat Management Appliance

• Content Filtering
• Reporting
• Secure Wireless
• High Availability - Appliance
• ISP LoadBalancing/Failover
• Central Management

• Firewall
• VPN
• Basic bandwidth Management
• Gateway AV, Intrusion Prevention and Anti-spyware

39
Dynamic Real-Time Protection

• Dynamic real-time threat scanning engine at the
  gateway
• Anti-Virus, Anti-spyware and Intrusion Prevention
• Protects Against Viruses, spyware, worms,
  trojans, app vulnerabilities
• External and Internal protection
• Reassembly-free engine
• Scans decompresses unlimited number of files
  file sizes
• Supports over 50 protocol types including
• SMTP, IMAP, POP3 Email, HTTP Web, FTP File
  Transfer
• Peer to Peer Transfers, NetBios Intra LAN
  Transfers, any stream-based protocol
• Updateable database by an expert signature team

40
The TZ Series is the ideal total security
platform for small networks, providing a
compelling blend of ease of use for basic
networks and flexibility for more complex
networks.
TZ 170 Wireless
TZ 150
TZ 170
TZ 170 SP Wireless
TZ 170 SP

• Deep Packet Inspection Firewall
• WorkPort
• 5-port MDIX Switch
• Upgrade to SonicOS Enhanced
• 30 Days of IPS/AV/CFS

• Deep Packet Inspection Firewall
• Failover/Failback
• Analog Modem
• Upgrade to SonicOS Enhanced
• 5-port MDIX Switch
• 30 Days of IPS/AV/CFS

• Deep Packet Inspection Firewall
• Wireless/Wired Security
• 802.11b/g Radio
• Upgrade to SonicOS Enhanced
• 5-port MDIX Switch
• 30 Days of IPS/AV/CFS

• All the best features from each TZ 170
• SHIPS WITH SonicOS Enhanced!
• 30 Days of IPS/AV/CFS

• Deep Packet Inspection Firewall
• Supports up to 10 nodes
• 4-port MDIX LAN Switch
• 30 Days of IPS/AV/CFS

41
The PRO Series is a multi-service security
platform for companies requiring rock solid
network protection coupled with fast, secure VPN
access for remote employees.
PRO 2040
PRO 5060
PRO 4060
PRO 3060
PRO 1260

• Small-to-medium networks up to 200 nodes
• Deep Packet Inspection Engine
• Unlimited Nodes
• 10 VPN Clients
• 30 Days of IPS/AV/CFS

• Businesses with complex networks
• Deep Packet Inspection Engine
• 6 User-defined Interfaces
• Unlimited Nodes
• 25 VPN Clients
• 30 Days of IPS/AV/CFS

• Businesses with complex network and VPN
  requirements
• Deep Packet Inspection Engine
• SonicOS Enhanced
• 6 User-defined Interfaces
• Unlimited Nodes
• 1,000 VPN Clients
• 1 Year of SonicWALL IPS

• Medium-to-large enterprise networks requiring
  Gigabit performance
• Copper Copper/Fiber Versions
• Deep Packet Inspection Engine
• SonicOS Enhanced
• 2,000 VPN Clients
• 1 Year of SonicWALL IPS

• Small networks up to 25 nodes
• Deep Packet Inspection Engine
• 30 Days of IPS/AV/CFS

SonicOS Enhanced upgrade provides ISP failover,
object-based management, policy-based NAT, 4
interface support, and Distributed Wireless
42
Understanding Spam
43
Tactical Content Management

• Forged email address and Envelope
• Fools recipient into opening

44
(No Transcript)
45
Tactical Content Management

• Image only mails
• How will text based filters work?

46
(No Transcript)
47
Word and Token Manipulation

• Manipulate text in email so keyword matching fails

48
(No Transcript)
49
Uniqueness Generation

• Junk words
• Random words

50
(No Transcript)
51
(No Transcript)
52
URL obfuscation

• Proxy hides the origin
• HTML comment tags with random content

53
(No Transcript)
54
(No Transcript)
55
Token (colour) manipulation

• Same colour font and background (invisible text)
• OR
• Difficult to read text
• With random characters / junk words

56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
HTML Tag Corruption

• Corrupt the tags so parsing is not possible!

61
(No Transcript)
62
Heuristic Grooming

• Negative Rule Bashing
• Legal disclaimiers, PGP Signature, Forgot
  passwords
• Problems for products!

63
(No Transcript)
64
Fooling Bayesian Filters

• Populate text with random Words
• Maybe invisible too!

65
(No Transcript)
66
Fooling Trainers and Collaborative Systems

• Use false tokens
• Increase the rate of false positives to
  un-acceptable levels
• Make the anti-spam solution unviable

67
(No Transcript)
68
All these spam samples were taken from ONE DAYs
spam mail!!
69
Web bugs/Spam Beacons

• Outlook mail client grabs images from Spammers
  website
• Spammer knows when you have opened the mail and
  probably knows your mail id as well

70
Metamorphic Spam Trojans

• Target neglected Always-On PCs
• Propogate through remote controlled
• Invisible hosting of Spammers Websites
• Auto-Installation of STMP server engine
• Hijacking PC and convert into proxy

71
Spamware

• Atomic Email Hunter
• Stealth Mail Master

72
(No Transcript)
73
(No Transcript)
74
Barracuda Anti-spam Solution

• From Barracuda Networks, USA

75
IIT Kanpur
76
Barracuda Spam Firewall Family

• Comprehensive solution
• Blocks spam and virus
• Enterprise class
• Robust and reliable
• Plug-and-play
• No per user licensing fees
• No changes needed to email servers
• Integrated hardware and software solution

77
Barracuda Spam Firewall

• Eliminates Spam and Virus
• Protects your email server and your company

78
Architecture 10 Defense Layers

• High performance
• Easily scalable

79
Barracuda Spam Firewall Family

• Spam Firewall 100
• 250 users
• 500,000 mails/day
• Spam Firewall 300
• 1,000 users
• 4 million messages/day
• Spam Firewall 400
• 5000 users
• 10 million messages/day
• Spam Firewall 600
• 10,000 users
• 25 million messages/day
• Spam Firewall 800
• 25,000 users
• 30 million messages/day

Clustering support for redundancy and
higher capacity
NEW! Outbound Product!
80
Thank Youpeter_at_itsecure.com
81
Advice to students on the proper useof the
System Administrator's valuable time
82
Advice (1)

• Make sure to save all your MP3 files on your
  network drive. Sys Admin will back them up for
  you!
• Play with all the wires you can find. If you
  can't find enough, open something up to expose
  them. After you have finished, and nothing works
  anymore, put it all back together and call Sys
  Admin. Deny that you touched anything and that it
  was working perfectly only five minutes ago. Sys
  Admin just loves a good mystery.
• Never write down error messages. Just click OK,
  or restart your computer. Sys Admin likes to
  guess what the error message was.

83
Advice (2)

• If you get an EXE file in an email attachment,
  open it immediately. Sys Admin likes to make sure
  the anti-virus software is working properly
• When Sys Admin sends you an email marked as
  "Highly Important" or "Action Required", delete
  it at once. He's probably just testing some
  new-fangled email software.

84
Advice (3)

• When the photocopier doesn't work, call Sys
  Admin. There's electronics in it, so it should be
  right up his alley.
• When you're getting a NO DIAL TONE message at
  your home computer, call Sys Admin. He enjoys
  fixing telephone problems from remote locations.
  Especially on weekends and holidays
• When the printer won't print, re-send the job 20
  times in rapid succession. That should do the
  trick.