Integrated Threat Management Appliance 1 - - PowerPoint PPT Presentation

Integrated Threat Management Appliance

1

2

http://www.youtube.com/watch?v=F 7pYHN9iC9I

3

4

Denial of Service Attack (DoS)

THREAT CATEGORY THREAT ACTION TYPE

Malware/Badware Send data to the external entity/site, Trapdoor/Backdoor Entry, Key-logger, Form-grabber, Spyware , RAM scraper Hacking Exploitation of backdoors, credentials theft and usage, SQL injection Misuse Abuse of System Access and privileges Social Email with Attachments, Instant Messaging, Phishing, Spam Error System Malfunctioning, Misconfiguration

5

Approach

 Screening of traffic at Perimeter  Unified Solution  Single console for management, updation and event

logging /reporting

 Low latency  Scalable  Traffic Management

6

7

NKN PUB

CORPORATE NETWORK

ITM Appliance

Features

Developed from open Source software  Layer 2 to Layer 7 inspection  Hardware design supports Deep packet

Inspection

 Scalable Architecture  Flexible Bandwidth management  Secure VPN access Management console offers both local and

remote administration

8

9

• Firewall
• Intrusion detection

& Protection system

• Gateway Antivirus
• Gateway Antispam
• Content Filtering

Components of ITMA

Firewall Traffic Path

INSPECT

Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options

Source UDP Port Destination UDP Port

Source 212.56.32.49 Destination 65.26.42.17 Source Port X Dest Port 80 Sequence 28474 Sequence 2821 Syn state SYN IP Option none

Stateful Packet Inspection

Stateful Packet Inspection

Stateful is limited inspection that can

• nly block on ports

No Data Inspection!

10

Firewall Traffic Path

INSPECT

Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options

Source UDP Port Destination UDP Port

Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

INSPECT Stateful Packet Inspection Deep Packet Inspection

Deep Packet Inspection

Deep Packet Inspection inspects all traffic moving through a device

11

Firewall Traffic Path

Stateful Packet Inspection

Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port UDP Length UDP Checksum

DATA

Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port

Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

Comparing… Application Attack, Worm or Trojan Found!

Deep Packet Inspection

Deep Packet Inspection / Prevention

Deep Packet Inspection with Intrusion Prevention can find and block, application vulnerabilities, worms or Trojans.

12

Firewall Traffic Path

Stateful Packet Inspection

Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port m Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Source UDP Port Destination UDP Port m Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

Deep Packet Inspection Virus File!

AuctionSite

Gateway Anti-Virus Anti-Spyware Content Inspection

Gateway Anti-Virus and Content Control

13

Firewall Traffic Path

Stateful Packet Inspection

Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS- SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

Anti-Virus Content Filtering Service Deep Packet Inspection

AV Database IPS Database Spy Database Content Filtering Database

Gateway Anti-Virus Anti-Spyware Content Inspection

Security Must Be Updated

14

15

Architecture

• Rapid Increase in data traffic is

addressed by implementing multiple cores

• Load Spreading of the packets

across pools of core for parallel processing

• Share network I/O between cores
• Inter-core communication
• Increases

the capability and performance

ITMA Packet Processor- QoRIQ

16

Technical Specifications

Function Generic Functionalities Features offered in ITMA

A

Threat Vectors Viruses 3000+ signatures Worms Detection & Blocking Spyware Detection & Blocking Phishing Detection & Blocking B Technologies 1 Architecture Content Processor Content processor Modular / Scalable Modular / Scalable Distributed architecture Distributed Architecture

17

Function Generic Functionalities Features offered in ITMA 2 Platform Processors H/w based Accelerators Gigabit Ports 4 Console port RJ45 1 USB Ports 2 Form factor Rack Mounted High Availability features Serial & Parallel Modes of operation 3 Operating System Embedded Linux 4 System Performance Firewall Throughput (Gbps) 2.5 New sessions/second 5000

Technical Specifications Contd.

18

Function Generic Functionalities Features offered in ITMA System Performance Concurrent sessions 100000 Antivirus Throughput (Gbps) 1.5 IPS Throughput (Gbps) 1.5 ITMA Throughput (Gbps) 1.5 Authenticated Users/Nodes unlimited

Technical Specifications Contd.

19

C

Threat Management with event logging features 1 Stateful Firewall

OSI Layers 2 to 4 Access Control Criteria User identity, Source Identity

ITM Policies IPS, Web filter, Application filter, Antivirus, Anti spam, Bandwidth Mgt, Default Denial Other features H.323 NAT Traversal, 802.1q VLAN Support, DoS & DDoS attack prevention, MAC & IP- MAC filtering, PAT 2 Antivirus / Anti Spyware Virus, Worm, Trojan Detection & Removal Spyware, Malware, Phishing protection Automatic virus signature database update Scanning of HTTP, FTP, SMTP, POP3, IMAP, IM, VPN tunnels Block by file types

20

Function Generic Functionalities Features offered in ITMA 3 Anti Spam Real-time Blacklist (RBL), MIME header check Filter based on message header, size, sender, recipient Redirect spam mails to dedicated email address. Image-spam filtering Zero hour virus Outbreak protection Subject line tagging IP address Black list/White list spam Notification through Digest IP Reputation-based spam filtering

Technical Specifications Contd.

21

Function Generic Functionalities Features offered in ITMA

4 Intrusion Prevention

Multiple IPS Policies

user-based policy creation Protocol Anomaly Detection DDoS attack prevention

D

Networking

1 Bandwidth Management

• Appl. & User Identity

based Bandwidth Mgt. Category-based Bandwidth restriction

E

General

1 Certifications ICSA Firewall Checkmark UTM Level 5 Certification VPNC - Basic and AES interoperability (Certification process progressively)

Technical Specifications Contd.

22

Institutes involved

PSA Office PIU NKN ECIL, HYDERABAD : SETS, CHENNAI

23

THANK YOU