securing your network dataway seminar san francisco, 26 june 2002 ® qualysguard vulnerability...
TRANSCRIPT
Securing Your Network
Dataway SeminarSan Francisco, 26 June 2002
® QualysGuard
Vulnerability Analysis – The new Frontier of Security
by
Tom ClareDirector, Channel Marketing
Securing Your Network
Agenda
Company Background/Team Vulnerability Assessment QualysGuard
- Product Family- Internet Scanner- Live Demonstration- Product Enhancements
Q&A
Securing Your Network
Qualys Company Background
Single focus on Vulnerability AssessmentHighly Scalable Web Service Platform
Most Comprehensive Vulnerability Database – Daily Updates
Live since May 2000, run rate of 32,000+ scans per month 525+ customers growing at 25+ per month, includes:
Adobe, Apple, HP, Siebel, Agilent, Cartier, L’Oreal, Bank of the West, First State Bank, Cincinnati Children’s Hospital, VeriSign, Web Power Associates, Tower Records, Broadwing, BASF, Generali…
Founded in March 1999 90 Employees, 45 in R&D
Global offices in US, France, Germany and UK
$40M in funding Trident Capital, Deutch Bank ABS Ventures, Mercury Interactive and VeriSign
Headquartered in Redwood Shores,CA
Securing Your Network
Why Does This Happen?
FirewallFirewall IDSIDS Anti-VirusAnti-Virus
AttackAttack
Securing Your Network
Why Vulnerability Assessment ?
“99% of intrusions result from exploitation of known vulnerabilities
or configuration errors where countermeasures were available”
Source: 2001 CERT, Carnegie Mellon University
“In 2001, more than 30 vulnerabilities were discovered each week”
Source: 2001 Forrester Research
(compared to 5 vulnerabilities discovered per week in 1998)
Securing Your Network
The worm.sdsc.edu Project
Experiment: Attaching and monitoring a “default installed” system on the Internet
After 8 hours first probe for rpc vulnerabilities was detected
Within a few days over 20 exploit attempts A few weeks later the system was completely
compromised and a network sniffer was installed by an attacker
Securing Your Network
Vulnerability & Exploit Lifecycle
Advisory Release
Widespread Awareness
Vulnerability Scannersadding detection signature
Selective AwarenessFirst
Discovery
Early availability of detection capabilities is key to prevent intrusion and compromise
Early availability of detection capabilities is key to prevent intrusion and compromise
Recent outbreaks of NIMDA and Code Red could have been prevented
Recent outbreaks of NIMDA and Code Red could have been prevented
Securing Your Network
Compromise is Costly
Compromised systems may not be immediately identified
To fully recover a compromised system, it must be taken offline Downtime of critical servers Time invested by administrators
To restore the integrity of the system it must be validated Forensics may take days to complete Reinstall operating system and applications & all security
patches Back-ups may contain altered data making it
useless during recovery activities
Securing Your Network
Frequency Shift Automated worms, malicious code and multi-part
viruses are making “security through obscurity” a bygone
Vulnerability Assessment offers the most value to customers for today’s security threats
- Closes open doors that viruses frequently enter- Verifies what firewall policy changes expose- Provides an inventory of affected systems for IDS alerts- Scans web site applications daily with latest VA tests- Detects unknown rogue systems on networks
Tools are evolving into online service architectures, constantly updated and ready
Detection is shifting to prevention
Securing Your Network
Advancing VA
Topic Freeware Tools Service
Updates
Provisioning
~monthly
Manual download
~monthly/weekly
Manual download
Daily (2-4 times)
Auto-update
Expertise to
use productHigh Medium Low
Learning curve/start-up
~one week ~2-3 days < 1 Hour
Knowledge transfer
Difficult Moderate Easy
Scalability for dist. & large networks
Low Low High
Commitment None (both sides)
3-5 years (perpetual purchase)
1 year(annual subscription)
Securing Your Network
QualysGuard Product Family
QualysGuard
Trial System
BrowserCheck
InternetScanner
IntranetScanner
FirewallPlug-in
EnterpriseReport Server
FREE InternetExplorer browserchecks for over 400M users of IE
Automatedonline trialswith partnerco-branding
True outside-inVA tests & remedies with Network mapping
Check PointOPSEC Integration toscan visible systems after each firewall policy change
LAN basedinside scanningfrom self updating appliance (Beta June 2002)
Internal report server databasefor large networks(Beta Q3)
Centralized Vulnerability Assessment knowledge baseleveraged for different users and locations,
updated multiple times per day
Securing Your Network
QualysGuard Internet ScannerDistributed, Secure & Scalable Infrastucture
InternetInternet
Target Servers
TargetServers
Hacker
QualysGuard Data Center
Data Base Servers
Browser
Browser
Web Application Servers
New Vulnerabilities
APIs
APIs
APIs
MgtConsole
MgtConsoleReportsReports
Distributed Scanners
Distributed Scanners
Securing Your Network
Inference Based Vulnerability Scanning
Non-intrusive with no impact on the availability or integrity of a host being scanned
Modular, inference-based scanning with over 100 specific modules
Scans 300+ applications on 20+ platforms and operating systems (commercial and open source)
Over 1700+ Internet vulnerability tests, growing at 18-25+ per week
Knowledge Base
Set Of Facts
Test Test Test
New Facts
Securing Your Network
Live Demonstration
- Network Mapping- Vulnerability Scanning- Detail Reporting- Dynamic Reports- CVE Database- Configuration Options- Account Maintenance
Securing Your Network
QualysGuard Features
Scalability, Reliability and Speed Enterprise level scanning – Class C & B Networks Comprehensive database of vulnerabilities with
aggregated signatures and patches Graphical and Actionable Reporting Network Discovery for Large Networks 90+% OS detection correctness Minimizing false positives Full set of extensible XML APIs to fully integrate
into the security process
Securing Your Network
Extending the Platform: Intranet Scanner
QualysGuard Platform
Internet
Internet
Web ApplicationServers
Web ApplicationServers
Database Servers
Database Servers
Firewall IntranetScanner
Intranet
Customers Servers
Browser
Browser
DistributedScanners
DistributedScanners
Securing Your Network
QualysGuard for Check Point
Monitors firewall policy changes Automatically scans updated firewalls Analyzes results with previous assessment Produces trend analysis results (+/-) Results/Reports
Email with trend summary & URL report links
Firewall log entries including trend summary
Online Detail & Differential HTML reports
Securing Your Network
How it Works
InternetInternet
Company Network
AdminGUI
ManagementServer
VPN-1/FireWall-1Enforcement
Point
Remote Office Network
FireWall-1 Qualys Platform
Scan Engines
QualysGuardFirewall Plug-In
FirewallPolicyAnalysis
11 Firewall policy change
11 11
11
22 Detect change & signal scan
22
33 Scan & analyze results
33
44 Email & log summary results
Admin
44
44 Email
Log
55 Online reports
55
OPSEC Integration into the firewall policy change cycle
QualysGuard for Check Point
Securing Your Network
Graphical HTML Reports
Report Type
Summary
Trend Analysis
Severity Scale, Vulnerability Title, First & Last Detected,Duration (Lifespan)Status (Active/Fixed)
Securing Your Network
OPSEC Integration
PolicyEditor
MGMTServer
ELAELA
OMIOMI
VPN-1FireWall-1
OPSEC Framework OMI – Object Management Interface Ability to read policy status information ELA – Event Logging API Ability to write log entries to firewall log
FirewallLog
FirewallPlug-In
Windows NT/2000
QG.conf - Mgmt Server IP
PolicyDB
VPN-1 / FireWall-1
VPN-1FireWall-1
VPN-1FireWall-1
Securing Your Network
Summary Vulnerability Assessment offers the most value to
customers for today’s security threats- Closes open doors that viruses frequently enter- Verifies what firewall policy changes expose- Provides an inventory of affected systems for IDS alerts- Scans web site applications daily with latest VA tests- Detects rogue systems unknown to administrators
In 2001, 99% of incidents and exposures utilized a known vulnerability where a counter measure was available (CERT)
Tools are evolving into online service architectures, constantly updated and ready
Detection is shifting to prevention