intrusion prevention intrusion prevention for for service
Post on 19-Oct-2014
969 views
DESCRIPTION
TRANSCRIPT
Secure IP Infrastructure is Critical for VoIP
Intrusion Prevention Intrusion Prevention for for
Service ProvidersService Providers
CONFIDENTIAL
TippingPoint TippingPoint –– The CompanyThe Company
The Proven Leader in Intrusion Prevention (NASDAQ: TPTI)– Launched industry’s first intrusion prevention solution, January 2002– Only Vendor Awarded NSS Gold for Intrusion Prevention, January 2004
Deep Domain Expertise and Experienced Management– Networking, security and software knowledge from industry-leading
companies such as Cisco, SANS, NetSpeed, Alcatel, IBM, Efficient, Motive
Best-of-breed Technology and Execution– Tens of millions of dollars invested in core technology R&D– Highly parallel, custom packet-processing ASIC technology – Patent-pending technologies that deliver unmatched performance
CONFIDENTIAL
Select TippingPoint Customers and AwardsSelect TippingPoint Customers and Awards
AwardsAwards
CONFIDENTIAL
SecurityRisk Gap
The Security Risk Gap is Growing ExponentiallyThe Security Risk Gap is Growing Exponentially
New security demands exceed IT capacity
– Increasing rate of new vulnerabilities
– Decreasing time to patch them– Walk-in worms, e-mail attacks– Rogue applications “stealing” IT
resources
Traditional tools can’t fully mitigate today’s security challenge
– Perimeter firewalls are porous (e.g. allow port 80) and can’t handle the core
– Comprehensive patching is impossible
– Not all end-points under IT control
Time, Business Growth
Security Demands
Line speed Intrusion Prevention closes the gap
IT Security CapacityIT Security Capacity
CONFIDENTIAL
UnityOne Closes the Security Risk GapUnityOne Closes the Security Risk Gap
Network Performance is Accelerated
System Up-time is Maximized
Emergency Patching Triage is Eliminated
Plug-and-Play Operation– No tuning required
Time, Business Growth
Security Demands
IT Security CapacityIT Security Capacity
Business Continuity is assured and the cost of security operations is reduced
Up-time
Perf
No Triage
Plug and Play
CONFIDENTIAL
UnityOne IP Service Control UnityOne IP Service Control
Ultra-High PerformanceCustom Hardware
5 Gbps ThroughputSwitch-Like Latency 2M SessionsTotal Flow Inspection10K Parallel Filters
Bandwidth Management
Intrusion Prevention
Content-based QOS
IP ServiceControl
Service providers demanduncompromising performance,
reliability, and protection
CONFIDENTIAL
Intrusion PreventionIntrusion Prevention
Performs Total Inspection at Layers 2-7Protects Subscriber Desktop Vulnerabilities
– Quarantine Infected Subscribers to a Walled-GardenProtects Network Equipment VulnerabilitiesProtects Server VulnerabilitiesProtects Against Anomalous Traffic Behavior
Protect:Applications and Operating SystemsSubscriber DesktopsBroadband Network ElementsEmail, News, DNS ServersReal time VoIP Security
ROI Components:Reclaimed Infrastructure Capacity (Router, Server)Eliminate Emergency PatchingFewer Help Desk CallsFewer Truck RollsReduced Subscriber Churn
Bandwidth Management
Intrusion Prevention
Content-based QOS
IP ServiceControl
CONFIDENTIAL
Bandwidth ManagementBandwidth Management
Increases Network Performance Even When Not Under AttackRate Limits Non-Mission Critical Applications– Controls Peer-to-Peer Traffic– Controls unauthorized Instant Messaging– Controls Rogue Applications– Eliminates Misuse and Abuse
Protect:BandwidthServer CapacityMission-Critical Traffic
ROI Components:Reclaimed Infrastructure CapacityReduced Bandwidth Expense
Bandwidth Management
Intrusion Prevention
Content-based QOS
IP Service Control
CONFIDENTIAL
Identify:Specific ApplicationsPremium SubscribersContent Partners
ROI Components:Incremental Revenue from SubscribersIncremental Revenue from Application and Content Partners
ContentContent--based QOSbased QOS
Identify specific sessions– Based on Application, Subscriber, Content, existing QOS markings
Notify Service Control Elements– Eliminate dependence on Client knowledge of network rules
Add or modify marking for appropriate QOS priority in the network– Set DSCP/TOS, 802.1P/Q VLAN, MPLS tags
Enforce QOS by prioritizing queues using CBR and VBR
Bandwidth Management
Intrusion Prevention
Content-based QOS
IP Service Control
CONFIDENTIAL
Secure Cable HSD NetworksSecure Cable HSD Networks
CONFIDENTIAL
Secure DSL NetworksSecure DSL Networks
CONFIDENTIAL
UnityOne-2000
UnityOne-2000
UnityOne-2400
BusinessCustomer #1
BusinessCustomer #2
BusinessCustomer #3
Service with Network-Based Managed Secure Service provided via UnityOne Solutions
Redundant Network Links
Security Management System (SMS)
Centralized Network Management for Managed Secure Service
NetworkNetwork--Based Model: Managed Secure ServiceBased Model: Managed Secure Service
Internet
CONFIDENTIAL
Automatic Digital VaccineAutomatic Digital Vaccine• SANS• CERT• Vendor Advisories• Bugtraq• VulnWatch• PacketStorm• Securiteam
Digital Vaccine Automatically Delivered to Customers
Vulnerability Analysis
Raw Intelligence Feeds
Vaccine Creation
Scalable distribution network using Akamai’s 9,700 servers in 56 countries
@RISKWeekly Report
CONFIDENTIAL
Performance Protection Performance Protection ––Rogue Application Control ExampleRogue Application Control Example
Protects mission-critical application bandwidthControls misuse and abuse
Generates report graphs for each virtual pipeUnlimited number of virtual pipes
0
20
40
60
80
100
120
140
160
180
200
13:0
0
19:0
0
1:00
7:00
13:0
0
19:0
0
1:00
7:00
13:0
0
19:0
0
1:00
7:00
13:0
0
19:0
0
1:00
7:00
13:0
0
19:0
0
1:00
7:00
13:0
0
19:0
0
1:00
7:00
13:0
0
19:0
0
1:00
7:00
13:0
0
19:0
0
Mbp
s (A
vera
ge p
er H
our)
OracleE-mailHTTPP2P Rate LimitKazaaeDonkeyWinMX
CONFIDENTIAL
Security and Bandwidth ManagementSecurity and Bandwidth Managementfor Improved Cash Flowfor Improved Cash Flow
Reduced Bandwidth Expense– P2P rate-limiting can reduce
egress bandwidth by 20%Reduced Capital Investment– Reduced upstream bandwidth
reclaims 10-30% of equipment investment
– Virus and worm mitigation can save up to 20% of edge device CPU utilization
Reduced Support Costs– Fewer help desk calls– Fewer truck rolls
Incremental Revenue– Enables VoIP rollout– Reduces subscriber and VoIP
churn
Lost Revenue- HSD Churn- VoIP Churn
Support Costs
CapitalInvestment
PositiveCash Flow
WithoutTippingPoint
WithTippingPoint
BandwidthExpense
Support Costs
CapitalInvestment
PositiveCash Flow
BandwidthExpense
Investment inTippingPoint
CONFIDENTIAL
UnityOne Security Management System (SMS)UnityOne Security Management System (SMS)
CONFIDENTIAL
UnityOne Product LineUnityOne Product LineIntrusion Prevention Systems
Security Management System
2.0 Gbps4x10/100/1000Copper/Fiber
1.2 Gbps4x10/100/1000Copper/Fiber
400 Mbps4x10/100/1000Copper/Fiber
200 Mbps2x10/100Copper
50 Mbps1x10/100Copper
2.0 Gbps20x10/100/1000
Copper/Fiber
5.0 Gbps4x10/100/1000Copper/Fiber 3Q04
CONFIDENTIAL
UnityOne Features and Benefits SummaryUnityOne Features and Benefits Summary
A) Virtual Patches Protect Unpatched Vulnerable Hosts B) Zero-Day Protection against Unknown Attacks and DOSC) Maintain Evergreen Protection
Digital Vaccine Updates
Allocate Bandwidth for Premium Applications like VoIPPrioritize Premium Applications
A) Fundamental Requirement for Service Provider DeploymentsB) Economies of Scale
Gigabit throughput
A) Ensure System UptimeB) Reduce Call Center CostsC) Avoid Damages from AttacksD) Protect Infrastructure and Uncontrollable End Points
Block Worms, Viruses, Trojans, DDos attacks, and other Threats
A) Reclaim BandwidthB) Eliminate Bandwidth Hijacking (P2P and IM)C) Network Optimization for Subscribers
Shape Traffic
Intrusion Prevention
Offer Premium Application Services, such as VoIP, Games, etc..Flexible and Scalable Platform
Bandwidth Management
A) Offer Customers a Premium Managed ServiceB) Internal Deployments Protect Internal Network and Subscribers
Multiple Deployment Options
High Performance
BenefitFeature
CONFIDENTIAL
TippingPoint NSS Gold Award DetailsTippingPoint NSS Gold Award DetailsNSS Gold Standard
• Achieved 100% score on every test• Ease of use, management capabilities• Significant unique selling points• Outstanding value for money• Near perfect user experience
CONFIDENTIAL
WhatWhat’’s News New
Intrusion Prevention for Service Providers– Service providers use UnityOne for:
• Internal Protection and Bandwidth Management• Subscriber Protection and Network Optimization• IPS as a Managed Service
VoIP Security– Protecting Vulnerabilities:
• SIP • H.323
VoIP Bandwidth Protection to Prioritize VoIP TrafficTippingPoint Forms VoIP Security Research Lab– Discover and Analyze VoIP Security Threats– Develop security tools for VoIP– Education
CONFIDENTIAL
WhatWhat’’s News New
TippingPoint's S-VoIP (Secure VoIP) Initiative– July-August launch with multiple partners
• Joint marketing agreement / PR agreed to ahead of time
– Focus on • Security Infrastructure Eco-system: partner’s product portfolio
protection• Leading-edge H.323 & SIP protocol / vulnerability protection• On-going forum for security discussion between participants• Possible output to community via SANS, CERT, etc.
– Targeting quarterly meetings
CONFIDENTIAL
VoiceVoice--Data Convergence Multiplies ThreatsData Convergence Multiplies Threats
VoIP inherits IP data network threat models in addition to new, VoIP-specific threats– Reconnaissance, DoS / DDoS, host vulnerability exploits, protocol vulnerability
exploits, surveillance, hijacking, identity theft, misuse, monitoring / eavesdropping, inserting/deleting/modifying audio streams
– Theft of service • Long distance service theft estimated at more than $10B annually without VoIP• The threat of session hijacking and data security is more important AND more difficult
VoIP QoS requirements mean DoS attacks get easier – Service Disruption possible due to delay, jitter, packet loss, available bandwidth– DoS / DDoS attacks have far more targets in VoIP deployments:
• IP phones, broadband modems• Routers, switches, firewalls, soft switches• Signaling gateways, media gateways, SIP proxies, location servers
CONFIDENTIAL
Where are the VoIP Security Vulnerabilities?Where are the VoIP Security Vulnerabilities?
Voice transport protocols– Real Time Protocol (RTP), RTCP, SCTP
Signaling protocols and architecture– H.323, MEGACO, Media Gateway Control Protocol (MGCP), Signaling
Connection Control Part (SCCP), and Session Initiation Protocol (SIP)Multi-vendor component environment– A variety of software / stack implementations across a heterogeneous
infrastructure makes it difficult to assure security
What’s at Risk?– Success of service– Brand
• Vendor and Service Provider risk brand damage if attacks succeed– End-user identity and other information– Compromise of infrastructure
Thank YouThank You
CONFIDENTIAL
Backup SlidesBackup Slides
CONFIDENTIAL
Patching and Downtime Financial ImpactPatching and Downtime Financial Impact
Cost to patch 5000 desktops exceeds $1 Million– $234 average per patch Yankee Group Enterprise Security survey,
2004$1.2 Billion in lost productivity in first five days of SlammerWorldwide annual costs to businesses of all malicious code attacks were $1.8 billion in 1996; soared to $13.2 billion in 2001– Horison Information
Strategies, 2003
Security Threats Typical Impact per Incident Virus $24,000 Denial of Service $122,000 Physical Theft or Destruction $15,000 Data Destruction $350,000 Theft of Proprietary Information $4.5 million Illegal system access - outsider $225,000 Unauthorized insider access $60,000 Installation/Use of Unauthorized Software or Hardware $250,000 Insider Abuse of Net Access / E-mail $360,000 Financial Fraud $4.4 million
Estimated security impacts per incident for various internal and external security issues – Source: Alinean – 2003
CONFIDENTIAL
UnityOne Threat Suppression Engine UnityOne Threat Suppression Engine
Hardware Solution Based on Specialized Custom ASICs 10,000 Parallel FiltersMicrosecond Latencies10 Patents Pending
FlowStateTable
Multi-flow Analysis• Baseline• Anomaly Detection
IP FragmentRe-assembly
TCP FlowRe-assembly
7-Layer Packet FlowInspection
• Parallel Processing• Regular Expression Matching• Protocol Decoding
TrafficShaping
FlowClassification
& Marking
PacketDiscard &
Redirection
Alert &Notification
Nor
mal
izat
ion
nProgrammable Filters
1 2 3 …
CONFIDENTIAL
PeerPeer--toto--Peer CoveragePeer Coverage
UnityOne rate limits and blocks over 98% of P2P trafficCoverage evolves as new dominant P2P applications emerge
Kazaa (48%)
Morpheus (22%)
Imesh (10%)
AudioGalaxy (6%)
BearShare (4%)
LimeWire (3%)
Grokster (2%)
WinMX (1%)
Blubster (<1%)
eDonkey (<1%)
Other (2%)
Top 10 P2P Applications
Source: AssetMetrix Research Labs
CONFIDENTIAL
High Availability and Stateful Network High Availability and Stateful Network RedundancyRedundancy
Dual Hot-Swappable Power SuppliesSelf-Monitoring Watchdog Timers
– Security and Management Engines– L2 switch fallback
99.999% Network Reliability
Stateful Redundancy– Active-Active– Active-Passive
No IP Address or MAC AddressTransparent to Router Protocols
– HSRP, VRRP, OSPF
Stateful Network RedundancyIntrinsic High Availability
CONFIDENTIAL
Application Protection Application Protection ––A Virtual Software PatchA Virtual Software Patch
A vulnerability is a security flaw in a software program.
Simple Exploit FiltersExploit Filters are written only to a specific exploit.– Filter developers are forced to basic implementations because of
engine performance limitations.
An exploitexploit is a program that takes advantage of a security flaw to gain unauthorized access to a vulnerable system.
– Result: missed attacks, false positives and continued vulnerability risk.
TippingPoint’s Vulnerability Filters act as a Virtual Software Patch and cover the entire vulnerability.
Vulnerability“Fingerprint”
Exploit A“Fingerprint”
Exploit B“Fingerprint”
(Missed byCoarse Exploit A
signature)
FalsePositive
(coarse signature)
SimpleExploit A
Filter
VirtualSoftware
Patch