zscaler administration and reporting - mcnc · zscaler administration and reporting andy groome ....
TRANSCRIPT
Gonz Guzman
Zscaler Administration and Reporting
Andy Groome
Agenda
n What is the Zscaler Web Security Service?
n How is it deployed?
n Zscaler Administration
n Zscaler Reporting
n Zscaler Malware Prevention/Reporting
2 10/3/12
Zscaler
n Zscaler provides content !ltering and anti-virus/malware protection via a cloud base service.
n Zscaler enforcement nodes (ZENs) are deployed in two of MCNC / NCREN’s egress points to the commodity internet. • Traffic redirection is accomplished via the NCREN
router at your location or a proxy auto-con!guration !le (PAC)
3 10/3/12
Zscaler Administration
n Zscaler Administration UI Demonstration
4 10/3/12
Zscaler Malware Prevention/Reporting
Zscaler lines of defense
n Manage > URL policies
n Secure > Advanced threats
n Secure > Anti-virus & anti-spyware
n Secure > File type control
5 10/3/12
Zscaler Malware Prevention/Reporting
Virus Test Files
n eicar.org
n European Expert Group for IT-Security
n http://www.eicar.org/85-0-Download.html
n 8 !les of 'pseudo-malware' containing virus-like strings
n Not harmful to device downloading
n Zscaler will block these downloads
6 10/3/12
Zscaler Malware Prevention/Reporting
Malware Sites
n Site devoted to cataloging malware sites:
http://www.malwaredomainlist.com/forums/index.php?topic=3270.0
n Zeus botnet tracker to see current Zeus C&C servers on a map
n mdlcsv.php - known malware sites
n Dates 1/1/2009-present
n 85,926 listings in the !le
7 10/3/12
Zscaler Malware Prevention/Reporting
Lab Testing – Malware vs. Zscaler
n Automated script on Linux
n 60 hours
n 44,684/85,926 or ~52% of the malwaredomainlist.com sites did resolve
n If a site resolved, the script attempted to download the page/!le
n 5,914 !les downloaded
n 386 different !le extensions
8 10/3/12
Zscaler Malware Prevention/Reporting
n Files with asterisks can also be blocked by Zscaler based on !le-type extension
n Other downloaded !les included 3 .msi, 3 .scr, 7 .dll, 2 .dmg, but no Linux viruses!
And the top 20 !le-type extensions downloaded…:
9 10/3/12
Zscaler Malware Prevention/Reporting
L.
10 10/3/12
Frequency Number !les
Extension
1 1901 php
2 1839 html 3 724 exe*
4 381 txt 5 220 bin
6 96 jpg
7 60 htm
8 40 js*
9 39 gif 10 39 swf*
11 38 pdf*
12 32 jar*
13 31 png
14 17 avi*
15 16 com*
16 13 psd*
17 11 asp
18 10 Ico
19 10 aspx
20 9 zip*
Zscaler Malware Prevention/Reporting
n Manage > URL categories
n Secure > Anti-virus & anti-spyware policy
n Secure > Advanced threats:
Strict vs. permissive slider bar – 33%:
Strict – may block legitimate sites such as update.microsoft.com (due to !le extensions, fact that downloads are attempted, etc.)
Permissive – allow questionable websites
11 10/3/12
Zscaler Malware Prevention/Reporting
Reporting & malware
n Analytics > Web Insights
!lter for Threat Class > Advanced Threats
n Users typically see these reasons for block:
“Not allowed to browse this malicious url.’
“Detected possible botnet command.”
n Analytics > Interactive Reports > Security Threats > Which advance threats were detected?
12 10/3/12
Initial Assessment – What is happening?
n A page is blocked • Security threat • Policy rule
n A page is broken • Page does not load • Page not displayed correctly
n Other issues • Server or browser errors
13 3/24/14
Questions to ask…
n What is the scope? • This user? • Other browsers? • Other locations?
n What are the logs telling me?
n HTTPS involved?
n Another manifestation of a common issue?
14 3/24/14
Common Issues – PAC file logic
n On premise traffic reported as Road Warrior
n SSL and Authentication bypass not applied
n GRE bypass not applied
n Why? • TCP/9443 not routed across GRE • Location aware logic dictates behavior
15 3/24/14
Common Issues – Custom Categories
n Custom Category issues • Entry not associated with original category • Duplicate category entries are BAD • Category lookup not accurate, trust the logs
16 3/24/14
Common Issues – Auth / SSL Bypass
n Authentication • Bypass required? • Bypass unexpected (unknown user-agent)?
n SSL bypass required? • Transparent and explicit proxy?
n Service bypass required?
17 3/24/14
Diagnostic Mantra
n Mantra: • “The logs are my friend” • “The logs tell the truth” • “The logs will show the way”
18 3/24/14
Diagnostic Mantra
n Any Questions?
19 3/24/14