Piotr Kędra – network consultant. Since 2007 Piotr has been working as Systems Engineer in Polish entity of Juniper Networks. He is responsible for network solutions for enterprise sector and technical support for channel. Previously he work in Solidex and NextiraOne as presales enginner. He participated in number of audits and many projects in area of LAN, WAN and network security.
Topic of Presentation: The role of information in modern security systems
Language: Polish
Abstract: TBD
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
Plnog13 2014 security intelligence_pkedra_v1
1. Rola informacji w nowoczesnych
systemach bezpieczeństwa
Security Intelligence
Piotr Kędra
Senior Systems Engineer, Channel support
pkedra@juniper.net
2. Agenda
• What are we talking about?
• Modern warfare
• Firewall evolution
• Threat landscape
• Security Intelligence
• Summary
3. Network-Centric Warfare
• 1996, Admiral William Owens described the evolution of a system of
intelligence sensors, command and control systems, and precision
weapons that enabled enhanced situational awareness, rapid target
assessment, and distributed weapon assignment.
• An information superiority-enabled concept of operations that
generates increased combat power by networking sensors, decision
makers and shooters to achieve shared awareness, increased speed
of command, higher tempo of operations, greater lethality, increased
survivability and a degree of self-synchronization.
• Power To The Edge’s
4.
5. Firewall Technology Overview
• State of security – Past and Present
• What is a firewall?
• How have firewalls been evolving?
• Is a firewall still necessary?
• High-end customer requirements
• Performance
• Segmentation
• Compliance mandates
• Do more with less
6. What is (was) a firewall?
• Software / Hardware barrier between intranet (LAN) and extranet
(WAN)
• Permit or deny traffic based on policies / rules
• Source IP address/port, destination IP address/port, destination service,
protocols, source domain, etc.
• Stateful – maintains information about existing sessions
• Make decisions based on session state rather than individual packets
• Perimeter Gateway – common entry point to LAN
7. How have they evolved?
• From Packet Filter to Stateful to NextGen
• Addressing the evolving threat landscape
• FW/IPsec VPN – secure remote tunnels into corporate
• UTM – AV, antispam, URL filtering, DI/IPS, and more
• Consolidate security posture into a single appliance
• Application / NextGen Gateways
• From Perimeter to Infrastructure / Core
• Addressing the needs of changing network function / design
• Multiple entry points to network
• Partner portals, remote connectivity, wireless, etc
• Segmentation capabilities – network zoning
• Enforcement of user roles / responsibilities
8. Is firewall still needed?
• Still 1st line of defense
• DoS/DDoS protection
• Ports / protocols usage
• White lists, black lists – allow or deny
• NATing – transition between IPv4 and IPv6
• Regulatory Compliance
• Requires security in depth including firewall
• PCI, SCADA, and others
• Segmentation of LAN
• Separate zones / policies to logically separate traffic
• Enforce corporate policies
10. Evolution of Integration
•Separation of tasks
•Expensive, high-touch
•No logical integration
•Very complex set-up &
ongoing maintenance
•Uncompromised performance
•Complete inheritance
•Best in class services
Stand-alone
Specialized functions
•Stateful FW
•IPSec VPN
•IDP
•Routing
Bolt-on
Loose functional integration &
coordination
•FW “houses” add-on svcs
•Single chassis convenience
Fully-integrated
HW/SW optimized for full
integration – Tight coordination
with apps & functions
Firewall
IPS
Firewall
IPS
+
11. NG Infantry weapon…
• Removable top barrel hurls 20mm high-explosive air-bursting fragmentation
rounds more than a half-mile. The lower barrel shoots NATO-standard
5.56mm ammunition. These rounds provide accurate single-round or bursts
to about 500 yards. Laser-guided electronics as sophisticated as on a
modern tank.
12. Next-Generation Firewall (NGFW)
Emphasis on Visibility
• Application Visibility and Control
• User-based Controls
• Intrusion Prevention Services
L7
L3
Next-gen
firewall
Traditional
firewall
Static Dynamic
13. Evolution Of The Firewall
Open platform delivers more value
Scalable to ensure full enterprise or
service provider deployment
Built for expansive data capacity
Improved efficacy, with fine-tuning
Adaptive in its ability to incorporate
many types of data into policy
Security Intelligence!
Layer 7
Layer 3
Next-gen
firewall
Dynamic
Adaptive
Platform
Traditional
firewall
Closed Open
14. The Current Security Threat Landscape
• Attacks coming faster; attackers getting smarter
• Complex attacks using multiple vulnerabilities
• No simple solution works
– Patching helps
– Firewalls help
– AV & attachment removal help
– Encrypted passwords/tunnels help
• You can’t be “secure”; only “more secure”
• We must share information better
15. Today’s Threats, Yesterday’s Defenses
40 80 5%
anti-virus new viruses catch rate
4w
coverage
Assessing the Effectiveness of Antivirus Solutions, Imperva
17. Conceptual Overview
Spotlight
Secure
SRX
Global
Attacker
Fingerprints
Command & Control
Spotlight
Connector
Custom Lists
Malware Domains, IPs
• Centrally managed threat intelligence
• Open platform for custom threat data
• Scalable solution supports many SRX
• Future-proof framework
• Precise attacker identification
Suspicious APT
Behaviors
Local
Attacker
IDs
GeoIP
Compromised
Hosts
18. Solution Architecture
Customer-provided or
3rd Party Threat Data
Command & Control
GeoIP
Attacker Fingerprints
Spotlight Secure
Local Attacker Details
(e.g. WebApp Secure)
1
2
3
4
5
SRX Firewalls
Aggregated 1 & optimized cloud-based threat intelligence
2 Juniper-provided threat intelligence to customer premise
3 Local/Customer data incorporated into solution
4 Centrally managed by Junos Space Security Director
5 Intelligence distributed to SRX enforcement points
Security Director
19. Spotlight Secure Today
Sharing Attacker Fingerprints in Real-Time Spotlight Secure
Attacker from
San Francisco
Attacker
fingerprint
uploaded
WebApp Secure
protected site in UK
records fingerprint
Attacker fingerprint available for all
sites protected by WebApp Secure
Global Attacker Intelligence Service
Detect Anywhere, Stop Everywhere
1
2
3
4
20. Juniper “Feed” Creation & Structure
The Optimization Process
• Consolidate data
• Weed out false positives
• Add/normalize scores
• Prioritize based on current
threat landscape
The Juniper Threat Feed
192.168.3.101 5
192.168.4.25 3
www.bad.com/xyz 1
…
• Juniper threat feeds are
designed to maximize
enforcement point resources
• Policy can be fine-tuned
using threat scores
Not all threat
intelligence is
created equal
Sourcing Threat Data
Threat intelligence is
collected from a
variety of sources
• Juniper is committed to
delivering focused threat
intelligence (C&C, botnet)
• We utilize a variety of threat
data sources and techniques
to ensure intelligence is
current and actionable
• All data sources are carefully
evaluated by Juniper’s threat
research team
Rinse & Repeat
• Threats change often
• Refresh all data sources at
regular intervals
• Spotlight Secure ensures that
data delivered to customer
premise is fresh and
actionable
21. Support for Custom Feeds
• Security intelligence solution supports customer choice
• Multi vendor data can easily be integrated into the solution
• Scalable component within SD aggregates all data for customer
• Management still occurs through same SD-based tools
• Support for blacklist and whitelist – Customer defines policy that uses data
• Update Mechanisms
• File PUSH through Security Director
• Web server PULL
• Local appliance/service PUSH interface
22. Use-case #1: Detection of infected hosts
Spotlight
Connector
Internet
Spotlight
Cloud
IP/URL feed
IP/URL feed SRX
24. Use-case #3: GEOIP based traffic Inspection
Dynamic Address Groups
• Dynamic Address Groups can be used as either “Source Address” or
“Destination Address” in a firewall rule.
• A Dynamic Address Group is updated dynamically and does not
require any configuration commit.
• The following type of feeds are supported in the first version:
• Custom IP-list feeds
• GeoIP feed (from Spotlight Cloud)
27. Summary
• Status
• Competitive intelligence is a work-in-progress
• More details will be made available as we near formal launch (we are almost
ready)
• Highlights
• Centralized and open threat intelligence framework
• Highly scalable and performant firewall implementation
• Emphasis on efficacy, particularly with integration of attacker fingerprinting
28. Authentication, Authorization,
and Accounting Server
(Radius or AD)
NAC integration
NAC policy server
Policy met?
Identity correct?
Switches and WLAN
Protected
Resources
Firewall
Local User
Remote User
Allow
or
Disallow?
Authorized?
Set access policy
Enforce policies
before users get
on the network
Identify who
gets access
Allow access to
authorized resources
31. Big Data Platforms and Security Intelligence
Customers looking to combine Big Data Platforms and Security
Intelligence to derive further security insights including:
• Beaconing
• Identify a pattern of connectivity from internal hosts or users
to external endpoints over a long period of time.
• Advanced base lining
• Model normal behavior of users, apps, assets and other
organizational entities so that anomalous behavior can be
identified
• Users susceptible to spear phishing
• Enumerate users who are prone to spear phishing attacks
because of their propensity to click suspicious URL links and
who may require additional security training