Securing Your Network

Dataway SeminarSan Francisco, 26 June 2002

® QualysGuard

Vulnerability Analysis – The new Frontier of Security

by

Tom ClareDirector, Channel Marketing

Securing Your Network

Agenda

Company Background/Team Vulnerability Assessment QualysGuard

- Product Family- Internet Scanner- Live Demonstration- Product Enhancements

Q&A

Securing Your Network

Qualys Company Background

Single focus on Vulnerability AssessmentHighly Scalable Web Service Platform

Most Comprehensive Vulnerability Database – Daily Updates

Live since May 2000, run rate of 32,000+ scans per month 525+ customers growing at 25+ per month, includes:

Adobe, Apple, HP, Siebel, Agilent, Cartier, L’Oreal, Bank of the West, First State Bank, Cincinnati Children’s Hospital, VeriSign, Web Power Associates, Tower Records, Broadwing, BASF, Generali…

Founded in March 1999 90 Employees, 45 in R&D

Global offices in US, France, Germany and UK

$40M in funding Trident Capital, Deutch Bank ABS Ventures, Mercury Interactive and VeriSign

Headquartered in Redwood Shores,CA

Securing Your Network

Why Does This Happen?

FirewallFirewall IDSIDS Anti-VirusAnti-Virus

AttackAttack

Securing Your Network

Why Vulnerability Assessment ?

“99% of intrusions result from exploitation of known vulnerabilities

or configuration errors where countermeasures were available”

Source: 2001 CERT, Carnegie Mellon University

“In 2001, more than 30 vulnerabilities were discovered each week”

Source: 2001 Forrester Research

(compared to 5 vulnerabilities discovered per week in 1998)

Securing Your Network

The worm.sdsc.edu Project

Experiment: Attaching and monitoring a “default installed” system on the Internet

After 8 hours first probe for rpc vulnerabilities was detected

Within a few days over 20 exploit attempts A few weeks later the system was completely

compromised and a network sniffer was installed by an attacker

Securing Your Network

Vulnerability & Exploit Lifecycle

Advisory Release

Widespread Awareness

Vulnerability Scannersadding detection signature

Selective AwarenessFirst

Discovery

Early availability of detection capabilities is key to prevent intrusion and compromise

Early availability of detection capabilities is key to prevent intrusion and compromise

Recent outbreaks of NIMDA and Code Red could have been prevented

Recent outbreaks of NIMDA and Code Red could have been prevented

Securing Your Network

Compromise is Costly

Compromised systems may not be immediately identified

To fully recover a compromised system, it must be taken offline Downtime of critical servers Time invested by administrators

To restore the integrity of the system it must be validated Forensics may take days to complete Reinstall operating system and applications & all security

patches Back-ups may contain altered data making it

useless during recovery activities

Securing Your Network

Frequency Shift Automated worms, malicious code and multi-part

viruses are making “security through obscurity” a bygone

Vulnerability Assessment offers the most value to customers for today’s security threats

- Closes open doors that viruses frequently enter- Verifies what firewall policy changes expose- Provides an inventory of affected systems for IDS alerts- Scans web site applications daily with latest VA tests- Detects unknown rogue systems on networks

Tools are evolving into online service architectures, constantly updated and ready

Detection is shifting to prevention

Securing Your Network

Advancing VA

Topic Freeware Tools Service

Updates

Provisioning

~monthly

Manual download

~monthly/weekly

Manual download

Daily (2-4 times)

Auto-update

Expertise to

use productHigh Medium Low

Learning curve/start-up

~one week ~2-3 days < 1 Hour

Knowledge transfer

Difficult Moderate Easy

Scalability for dist. & large networks

Low Low High

Commitment None (both sides)

3-5 years (perpetual purchase)

1 year(annual subscription)

Securing Your Network

QualysGuard Product Family

QualysGuard

Trial System

BrowserCheck

InternetScanner

IntranetScanner

FirewallPlug-in

EnterpriseReport Server

FREE InternetExplorer browserchecks for over 400M users of IE

Automatedonline trialswith partnerco-branding

True outside-inVA tests & remedies with Network mapping

Check PointOPSEC Integration toscan visible systems after each firewall policy change

LAN basedinside scanningfrom self updating appliance (Beta June 2002)

Internal report server databasefor large networks(Beta Q3)

Centralized Vulnerability Assessment knowledge baseleveraged for different users and locations,

updated multiple times per day

Securing Your Network

QualysGuard Internet ScannerDistributed, Secure & Scalable Infrastucture

InternetInternet

Target Servers

TargetServers

Hacker

QualysGuard Data Center

Data Base Servers

Browser

Browser

Web Application Servers

New Vulnerabilities

APIs

APIs

APIs

MgtConsole

MgtConsoleReportsReports

Distributed Scanners

Distributed Scanners

Securing Your Network

Inference Based Vulnerability Scanning

Non-intrusive with no impact on the availability or integrity of a host being scanned

Modular, inference-based scanning with over 100 specific modules

Scans 300+ applications on 20+ platforms and operating systems (commercial and open source)

Over 1700+ Internet vulnerability tests, growing at 18-25+ per week

Knowledge Base

Set Of Facts

Test Test Test

New Facts

Securing Your Network

Live Demonstration

- Network Mapping- Vulnerability Scanning- Detail Reporting- Dynamic Reports- CVE Database- Configuration Options- Account Maintenance

Securing Your Network

QualysGuard Features

Scalability, Reliability and Speed Enterprise level scanning – Class C & B Networks Comprehensive database of vulnerabilities with

aggregated signatures and patches Graphical and Actionable Reporting Network Discovery for Large Networks 90+% OS detection correctness Minimizing false positives Full set of extensible XML APIs to fully integrate

into the security process

Securing Your Network

Extending the Platform: Intranet Scanner

QualysGuard Platform

Internet

Internet

Web ApplicationServers

Web ApplicationServers

Database Servers

Database Servers

Firewall IntranetScanner

Intranet

Customers Servers

Browser

Browser

DistributedScanners

DistributedScanners

Securing Your Network

QualysGuard for Check Point

Monitors firewall policy changes Automatically scans updated firewalls Analyzes results with previous assessment Produces trend analysis results (+/-) Results/Reports

Email with trend summary & URL report links

Firewall log entries including trend summary

Online Detail & Differential HTML reports

Securing Your Network

How it Works

InternetInternet

Company Network

AdminGUI

ManagementServer

VPN-1/FireWall-1Enforcement

Point

Remote Office Network

FireWall-1 Qualys Platform

Scan Engines

QualysGuardFirewall Plug-In

FirewallPolicyAnalysis

11 Firewall policy change

11 11

11

22 Detect change & signal scan

22

33 Scan & analyze results

33

44 Email & log summary results

Admin

44

44 Email

Log

55 Online reports

55

OPSEC Integration into the firewall policy change cycle

QualysGuard for Check Point

Securing Your Network

Graphical HTML Reports

Report Type

Summary

Trend Analysis

Severity Scale, Vulnerability Title, First & Last Detected,Duration (Lifespan)Status (Active/Fixed)

Securing Your Network

OPSEC Integration

PolicyEditor

MGMTServer

ELAELA

OMIOMI

VPN-1FireWall-1

OPSEC Framework OMI – Object Management Interface Ability to read policy status information ELA – Event Logging API Ability to write log entries to firewall log

FirewallLog

FirewallPlug-In

Windows NT/2000

QG.conf - Mgmt Server IP

PolicyDB

VPN-1 / FireWall-1

VPN-1FireWall-1

VPN-1FireWall-1

Securing Your Network

Summary Vulnerability Assessment offers the most value to

customers for today’s security threats- Closes open doors that viruses frequently enter- Verifies what firewall policy changes expose- Provides an inventory of affected systems for IDS alerts- Scans web site applications daily with latest VA tests- Detects rogue systems unknown to administrators

In 2001, 99% of incidents and exposures utilized a known vulnerability where a counter measure was available (CERT)

Tools are evolving into online service architectures, constantly updated and ready

Detection is shifting to prevention

Securing Your Network

Q&A

support@qualys.com

www.qualys.com