The advent of Web 2.0 has spawned a new generation of Internet applications that muddy the waters between work and play, causing serious headaches for security conscious IT depts. Traditional firewalls and other security tools no longer cut the mustard. Security threats have evolved to target specific applications in order to breach a company’s defenses. What’s more, Internet-savvy employees are easily outsmarting many of the security controls currently in play. Simon Richardson, Managing Partner, ITogether, looks at what’s needed to help IT Directors keep the hoards in check, protect their IP, shore up their defenses and claw back some control.

1. IT’S TIME TO FIX THE FIREWALL
NEXT GENERATION FIREWALLS
FOR WEB 2.0 – IPS & IDS
| presentation

2. Agenda
Introductions
The Talk
Questions
invited during the talk
towards the end
live cast polls throughout
| presentation

3. Introductions
Simon Richardson
Founder & Managing Partner
ITogether
www.itogether.co.uk
| presentation

4. It’s time to fix the firewall
| presentation

5. About ITogether
A forward thinking Integrator founded in November 2005
A partnership based in Leeds, Yorkshire
Corporate & Government and SME customer base
Nationwide and Worldwide customer base
Our staff have backgrounds at, O2, Orange, BT, KCOM, DLA Piper,
Integralis, Sopra, Gaz De France, Netscape, WS Atkins, Provident,
Legend Communications
| presentation

6. Introduction
• One of information security’s oldest devices
• Many firewalls today due for renewal (ageing hardware or can’t keep
up with throughput demands)
• Recession has meant that renewal and improvement has been
significantly retarded in the last 2 years.
• The firewall’s mandate increases to cater for web 2.0 and other
drivers
• Should I upgrade this model to a faster one from the same vendor,
switch vendors, or upgrade to NG FW ?
• Gartner coined the term NG FW (Next Generation Firewalls)
| presentation

7. History Lesson
• Around 20 years old
• Developed from early packet and circuit firewalls, to application
layer and dynamic packet firewall today
• The goal has been to provide a protective barrier for the internal
network, from the external network, whilst allowing productive
comms to pass.
• Today with new web applications (particularly in the last 2-3 years)
and evolving security threats, firewalls need to evolve to meet and
beat those threats.
| presentation

8. What Problems Are We Trying to Solve ?
1. Applications - Web 2.0 - a new generation of business
and personal Internet applications
2. Threats - Web 2.0 threats targeting applications, sensitive
data and IT resources
Users - Internet-savvy employees have taken control of
the network – confidence of new technologies and apps at
home and on the smartphone continue to drive this.
Data Loss - Risk of sensitive and confidential data leaving
the network
Security - Traditional firewalls and security devices can’t
see or control any of the above
| presentation

9. What’s Happening on Enterprise
Networks?
| presentation

10. IT Has Lost Control and Needs Help
Risks Work Life Rewards
Internet Enterprise
Home Life
1. Driven by new generation of addicted Internet users – smarter than IT ?
2. Full, unrestricted access to everything on the Internet is a right
3. They’re creating a giant social system - collaboration, group knowledge
4. Not waiting around for IT support or endorsement – IT is irrelevant
5. Result - a “social enterprise” full of potential risks and rewards
| presentation

11. Real Word Data from Enterprise Networks
• Application Usage and Risk Report
• Published by Palo Alto Spring/Autumn each year
• 200+ large enterprises; 1,000,000+ users
• 650+ different Internet applications
• 255 Enterprise 2.0/collaboration apps (38% of total)
• 70% of Enterprise 2.0 apps are “high risk”
• All of these organizations have firewalls; most have
IPS, proxies, URL filtering, etc
| presentation

12. Employees are Creating Web 2.0
Bottom line: all had
firewalls, most had IPS,
proxies, & URL filtering –
but none of these
organisations could control
what applications ran on
their networks
| presentation

13. And Use of These Applications is
Accelerating
Grow t i W ebm ai Applcatons
h n l i i Grow t i Soci N et orki Applcatons
h n al w ng i i
100 100
80 80
60 60
40 40
20 20
- -
ai -m ai f
m l acebook- yahoo- gm ai
l hot ai
m l plaxo i eem
m m yspace lnkedi f
i n acebook
m ai
l m ai
l
Grow t i I antM essagi Applcatons
h n nst ng i i
100
80
60
40
20
-
m eebo facebook- m sn gm ai-chat
l t it
w t er
chat
Spri 2009
ng Fal 2009
l
| presentation

14. Information Could Be Leaking Everywhere
Applcatons ThatCan Lead t Dat Loss
i i o a
I antM essagi
nst ng 96%
W eb M ai (
l non-corporate) 96%
Soci Net orki
al w ng 95%
Brow ser-based Fieshari
l ng 91%
P2P Fieshari
l ng 87%
Googl Docs
e 82%
W eb Postng
i 79%
Clent
i -Server Em ai (
l non-corporate) 66%
0% 25% 50% 75% 100%
| presentation

15. Use of These Applications is Also
Accelerating
Bl and W i Edii Applcaton Usage
og ki tng i i
75%
58%
51%
48%
50%
26% 24% 22%
25% 16%
11%
5% 2%
00%
Yahoo-Finance- M edi i -
aw ki Bl
og-Postng
i Blogger-Blog- VBuletn-
l i
Postng
i Edii
tng Postng
i Postng
i
Spri 2009
ng Fal 2009
l
| presentation

16. SharePoint
Uni
que Threat Found I SharePoi Depl
s n nt oym ents
IS (
I 18)
SQL (15)
ASP (1)
SP (1)
0 2 4 6 8 10 12 14 16 18
Crii (
tcal 7) Hi (
gh 8) M edi (
um 20)
In total, more than 220,000 SharePoint threat instances were found!
| presentation

17. Employees Are Out of Control –
IT is Helpless
• Employee attitudes and behaviors
• 64% - understand some apps can result in data leakage
• 33% - experienced security issues when using an app
• 45% - did nothing when confronted with a security breach
• 61% - feel more productive using internet apps
• IT perspectives on the problem
• 59% - admit these apps are completely uncontrolled
• 48% - don’t know what apps are used by employees
| presentation

18. IT is Experiencing Risks Without the
Employees Are Out of Control –
Rewards
IT is Helpless
• Non-compliance
• Unapproved applications – IM, web mail in financial services
• Data loss
• Unauthorised employee file transfer, data sharing
• Employee productivity loss
• Uncontrolled, excessive use of personal applications
• Excessive operational costs
• Excessive bandwidth consumption, desktop cleanup
• Business dis-continuity
• Malware or application vulnerability induced downtime
| presentation

19. Why Has IT Been Unable to Regain Control ?
| presentation

20. The Problem Begins at the Firewall, which is why we
need to fix it !
• Firewalls should provide
visibility and control of
applications, users, and
content . ..
. . . but they only show you
ports, protocols, packets, and IP
addresses – all meaningless!
| presentation

21. Customers Don’t Know What They Don’t Know!
• User Port Protocol Application
• Port 80 is much more than Web browsing. . .
• 216.27.61.137 80 HTTP Web Browsing?
• Mary Jones 80 IM Yahoo-IM
• Port 443 is an encrypted mystery . . .
• 136.49.15.395 443 HTTPs Secure banking?
• Paul King 443 email Google gMail
Other ports are being exploited . . .
• 315.44.29.603 5060 SIP VOIP?
• John Smith many Gnutella Limewire P2P
| presentation

22. Customers Don’t Know What They Don’t Know!
• Cyber criminals have targeted, and used, legitimate websites. No
need for your users to ‘enter’ the dark areas of the Internet
• Compromised sites include, The Wall St Journal, the New York
Times, ESPN, NASDAQ.
• Most of the SANS Top 20 threats are application based
| presentation

23. Device Sprawl and UTM Do Not Solve the Problem
Internet
• Complexity and cost increase
• Performance decreases - latency
• Still no visibility or control of the Enterprise 2.0
• Some vendors will tell you that UTM is the answer. UTM is not the
answer, even for SMB.
| presentation

24. More Devices = Good News, Bad News
• Intrusion Prevention Systems
• Good: Looks for threats and “bad” applications
• Bad: No control; just stop limited number of apps, slow performance
• URL Filtering
• Good: Stops users from surfing porn, gambling, etc.
• Bad: Can’t stop growing number of evasive apps (P2P, Skype, etc.)
• Proxies:
• Good: Terminate connections, control access to sensitive data
• Bad: Supports limited number of apps, and often breaks them
| presentation

25. How to Solve This Problem?
| presentation

26. Fix The Firewall
Five Essential Requirements of an NG firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Protect in real-time against threats embedded across applications
4. Granular visibility and policy control over application access /
functionality
5. Multi-gigabit, in-line deployment with no performance degradation
| presentation

27. NGFW Requirements
In “Defining the Next-Generation Firewall,” Gartner provide the best
defintion
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 900+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS, without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering, state, flexible NAT, IPSec, SSL VPNs, etc.
Support “bump in the wire” Deployments
Multiple options for transparent deployment behind existing firewalls
| presentation

28. Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
| presentation

29. Single-Pass Parallel Processing Architecture
Single Pass
• Operations once per
packet
- Traffic classification (app
identification)
- User/group mapping
- Content scanning –
threats, URLs,
confidential data
• One policy
Parallel Processing
• Function-specific
parallel processing
hardware engines
• Separate data/control
planes
Up to 10Gbps, Low Latency
| presentation

30. Applications Require Fine-Grained Control
Applications use any port, evade, and encrypt
- Must see all traffic
- Must decrypt where appropriate
- Block or Allow inadequate to meet business requirements
- Keeping pace with 2.0 updates can be sometime very difficult, for
example in one week alone there were 231 individual changes to
Linkedin, Facebook and Twitter !
Applications require a fine-grained response Network Control
- Deny – even unknown applications
- Allow
- Allow but scan
- Allow certain users Low High
- Allow certain functions
- Shape (QoS)
- and various combinations of the above
| presentation

31. Full Visibility into Applications, Users, Content
Filter on
Skype What else is Harris
using
Filter on Skype
and user Harris
| presentation

32. Executive and Detail Reports on What’s Happening
Page 32 | © 2009 Palo Alto Networks. Proprietary and Confidential.
2008
| presentation

33. Essential Firewall Features we expect today and in NG
firewalls
• Strong networking foundation • High Availability
• Dynamic routing (OSPF, RIPv2) • Active / passive
• Tap mode – connect to SPAN port • Highly stable
• Virtual wire (“Layer 1”) for true • Configuration and session
transparent in-line deployment synchronization
• L2/L3 switching foundation • Path, link, and HA monitoring
(traditional routing L3 and bump in • Virtual Systems
the wire L2)
• VPN • multiple virtual firewalls in a single
device
• Site-to-site IPSec VPN
• Simple, flexible management
• SSL VPN
• CLI, Web, SNMP, Syslog
• Zone-based architecture
• All interfaces assigned to security
zones for policy enforcement • NAT
• Application awareness/control
• User/group controls
| presentation

34. Solutions Driving Change
Replace the Firewall Replace the IPS Simplify Infrastructure
• Problem • Problem
• Problem
• Can’t see or • Apps are conduit
control for new threats • Security too
Enterprise 2.0 complex; costs too
apps • IPS kills apps, high
can’t control them
• Users in charge, • Solution
policies ignored • Solution
• Fix the firewall –
• Solution • Control apps to that’s why cost and
reduce attack complexity is high
• Visibility of 900+ surface
applications • Consolidate other
• Stop threats, features into
• Identification of w/integrated IPS integrated platform
application users
• Stop leaks of • Redeploy cost
• Fine-grained confidential data savings to other
control over products in your
applications • Stream-based portfolio
engine ensures
high performance
| presentation

35. The Application Landscape Has Changed
•Organisations •Users •Hackers
•Increased
•Risk
• IT driven Exploits
• Explicit risk analysis Trojans
P2P
• Predictable behavior IM
Spyware
PC Remote Social • Primarily end user driven
Web Server Control Networking • Little regard for risks
Personal • Unpredictable/evasive
Web Browser behavior
E-Mail VoIP
Web Mail
Enterprise Cookies
Media
VoIP Adware
ERP Games
Office
Productivity
•Decreased
•Life is •Control
•Good
| presentation

36. The IPS Market Will Eventually Disappear
Application Awareness and Full Stack Visibility
Extra-Firewall Intelligence to Identify Users
Integrated Rather Than Co-Located IPS
IDC: Market for IPS decreased 22% in 2009
| presentation

37. Why Traditional IPS is Ineffective
• Traditional IPS has a negative security model –
can only “find it and kill it”
• Traditional IPS can’t see into growing volumes
of SSL-encrypted traffic, nor into compressed
content
• Next-generation firewalls +IPS enable “allow
application, but scan for threats”
• Gartner’s Recommendations:
• Move to next-generation firewalls at the next
refresh opportunity – whether for firewall,
IPS, or the combination of the two.
| presentation

38. Best Practices
• First, identify and block all “bad” applications
• Could include P2P, gaming, TOR, UltraSurf, software proxies
• App-ID identifies 900+ applications
• Second, safely enable all “good” applications
• Content-ID prevents threats from piggybacking on “good” applications
• Scan HTTP, SSL, and compressed content
• Block exploits, viruses, spyware downloads and phone home
• Solid research and support – fast deployment of new protections
• Member of MAPP; credited with more Microsoft vulnerability discoveries in
the last 6 months than any other IPS vendor research team
• Sustained high performance Firewall + IPS platform
• Simplified policy control
• Multi-Gbps, low latency - even when scanning both client and server traffic
| presentation

39. Other Security and Networking Budgets
• Budgeted technologies
• URL filtering
• Proxy appliances
• Anti-virus appliances
• DLP solutions / PCI compliance
• Use these maintenance budgets to replace firewalls with NG ones
| presentation

40. Segmentation to Isolate Cardholder Data
• Only Finance users in Active
Cardholder
Directory can access Finance Servers
cardholder zone (rule 1) Users
• Oracle is the only application Palo Alto
Networks
allowed (rule 1) Infrastructure
Servers
• Block inbound threats (rule 1)
• Monitor/block outbound
Development
cardholder data transfer (rule 1) Servers
WAN and
Users
• Deny and log all else (rule 2) Internet
Page 40 | © 2009 Palo Alto Networks. Proprietary and Confidential.
| presentation

41. Flexible Deployment Options
Visibility Transparent In-Line Firewall Replacement
• Application, user and content • IPS with app visibility & control • Firewall replacement with app
visibility without inline • Consolidation of IPS & URL visibility & control
deployment filtering • Firewall + IPS
• Firewall + IPS + URL filtering
| presentation

42. “I’m fine, No Problems Here”
My proxy gives me I’m protected by I have no issues with
application control IPS and URL app visibility, control
filtering
• Proxy/Caches are great
for bandwidth reduction • Blocking is not always • You don’t know what you
best solution don’t know
• Proxies slow and break
applications • IPS stops limited set of • AVR report shows users
“bad applications” have taken control
• Proxies control limited
set of applications (~15) • URL filtering control is • Do a POC of an NG
limited to web surfing firewall and prove it!
• Adding new applications
is long and painful • 54% of HTTP traffic are
C/S applications – URL
• Only identify based on filtering can’t control
URL string and IP
addresses
| presentation

43. Take Home Thoughts
Ask your Network Security team to produce a report
of Web 2.0 activity ‘today’ and then ask them what
levels of control you have today – you will be
concerned.
Re-evaluate your corporate Web 2.0 user
policy/AUP through research and identify how that
will be audited through technology (NG firewall)
It is unlikely your current firewall technology will
give you Web 2.0 protection. Start planning now to
find one that will.
Consider using budgets for IPS/URL/Gateway AV
to fund firewall replacement projects with NG
firewalls
| presentation

44. THANK YOU
& QUESTIONS
| presentation

45. Contact Details
Simon Richardson
Managing Partner
ITogether
Security Solutions
simon@itogether.co.uk
0113 341 0126
| presentation