Docstoc

TP-presentation

Document Sample
TP-presentation Powered By Docstoc
					           TippingPoint Seminar
iPro + 11th 2009
Riga, June



Anders Eriksson
TippingPoint Nordic & Baltics
aeriksson@tippingpoint.com
+46 70 941 48 00
About TippingPoint

•   Founded in 2001
    –   Invented in-line Network IPS, world leaders according to
         •   our customers
         •   independent research institutes
    –   Owned by 3Com Corporation
    –   HQ i Austin Texas, EMEA HQ in Amsterdam
    –   Partners in 70 countries
    –   iPro exclusive partner in Latvia
•   Numbers
    –   6.000+ customers
    –   TippingPoint revenue $130M (group revenue $1.3B)
    –   300 employees, 100 in R&D
Some users in the region

Danmark
•




Baltic
•




Finland
•




Norge
•




Sverige
•
Independent researchers


                    “Signature quality remains the most
                    weighted and competitive factor on
                                shortlists.”

                    “TippingPoint's IPS products require
                     less effort to deploy and manage
                        than competitive offerings.”

                    “TippingPoint was listed by the most
                        IPS vendors as their primary
                               competitor.”


                                 - Gartner
TippingPoint IPS
Product feature presentation

Proactively Optimize Network Security
Robert Seimann - Senior Systems Engineer Nordic & Baltic’s
Intrusion Prevention System “IPS”


                                    Attacks are detected
                                    and blocked at full
                                    network speed.
                                    TippingPoint IPS
HTTP                                functions as a           Vulnerable
          Firew                                              Servers
Port 80   all                       “Network Patch” or
                                    “Virtual Software        and network
                    Attack          Patch” TippingPoint      Clients
                    Penetrates             IPS
                                                                           Corporat
                    FW                                                     e
                                                                           WEB
                  single unit
                  networks from a                                          server
                  individual physical
                  Protection of
                  Automatic



                                                           Internal attacks
                                                           are also blocked



                                                 Intern
                                                 al
                                                 Attack
                                                 er
           The IPS stops attacks before they can
           do any damage
 Traditional Defenses:
 Firewalls and Intrusion Detection
 Systems

     •   Firewalls
          – Excellent at blocking traffic to ports not offering public services
          – Poor at filtering attacks from traffic involving allowed services
              • None or limited inspection of traffic destined for public servers
                - UTM
          – Can’t stop any attacks that come from the inside – 80% of total!
              • Perimeter Firewall can not see bad traffic from inside towards
                core servers
              • None or very limited protection for client side attacks, browser
                flaws, Spyware…
     •   Intrusion Detection Systems (IDS/IDP) - A WireShark on steroids
          – Good at detecting many types of network attacks
              • IDS spends a considerable time analyzing network attacks
              • Time equates to high latency
          – Poor at preventing attacks from succeeding
              • Since not blocking – Only sounds the alarm, can tell the
                Firewall to block
ID
          – Has not always been very accurate
              • Tendency to generate too many alerts – and worse, false
S               positives
IPS that is what we do!
State-of-the-Art Intrusion Prevention Systems


 •   Network Based Security
     –   We believe every form of user, device and traffic security possible should
         be provided from within the network as well as at the end-point
     –   Bump in the wire device that Classifies and Enforces policy-based action

         Dirty                                                          Clean
         Traffi                                                         Traffi
           c                                                              c

              Wor            • Custom Hardware
              ms             • High availability
                             • Multi-gigabit
              Troja          Throughput
               ns            • Switch-like latency                   Automatic
                             • Millions of Sessions                  Protection
             Virus           • Thousands of Filters
              es             • Signatures
                             • Protocol anomalies                   • Applications
                             • Vulnerability                        • Operating
            Spywar           • Traffic anomaly                      Systems
              e                                                     • Clients, Servers
                  Do          Intelligence Updates                  • Network
                                Digital Vaccine®                    Performance
                  S
                                                                    • VoIP
                                                                    Infrastructure
    TippingPoint IPS Product Line




                           TippingPoint          TippingPoint         TippingPoint     TippingPoint 1200E TippingPoint 2400E TippingPoint 5000E
                                10                   210E                 600E
Performance
•        Inspected
  Throughput
                      20 megabits per second 200 megabits per     600 megabits per     1.2 gigabits per second 2.0 gigabits per second 5.0 gigabits per second
•             Typical                        second               second
  Latency             < 500 microseconds                                               < 84 microseconds       < 84 microseconds      < 84 microseconds
                                             < 1 millisecond      < 84 microseconds
•         Total       250,000                                                          2,000,000               2,000,000              2,000,000
  Sessions                                   1,000,000            2,000,000
                      3,600+                                                           215,000                 350,000                350,000
•         Connections                        7,500+               92,000
  Per Second
                      n/a                                                              2,344,000               3,000,000              3,000,000
•         Invalid                            150,000              1,170,000
    SYNs/Second Under
    SYN Flood
                        Four 10/100/1000                                               Eight 10/100/1000       Eight 10/100/1000      Eight 10/100/1000
Scalability             Ethernet Ports       Ten 10/100/1000      Eight 10/100/1000    Ethernet Ports          Ethernet Ports         Ethernet Ports
                        Copper Only          Ethernet Ports       Ethernet Ports       Fiber and Copper        Fiber and Copper       Fiber and Copper
                        Total Segments - 2   Copper Only          Fiber and Copper     Total Segments - 4      Total Segments - 4     Total Segments - 4
                                             Total Segments - 5   Total Segments - 4
TippingPoint 10

•   Leading edge security for smaller
    sites
    –   Two segment IPS, copper 10/100/1000
    –   20 Mbps inspection capacity
    –   Latency <500 µs
    –   3.600 conn./sec
    –   250.000 sessions
    –   Support v2.5.x of TOS
    –   Managed by SMS v3.x
    –   WEB and CLI management
    –   Built in ZPHA by-pass
    –   Silent operation with passive cooling,
    –   Single AC power supply
TippingPoint 210E

•   Cost effective mid-range IPS
    –   Five segment IPS, copper 10/100/1000
    –   200 Mbps inspection capacity
    –   Latency <1 ms
    –   WEB and CLI management
    –   Built in ZPHA by-pass
    –   Single AC power supply
TippingPoint 600E, 1200E,
2400E & 5000E

•   High performing IPS units
    –   Four segment IPS
    –   4x copper, 4x fiber or two of each
    –   600 Mbps, 1.2 Gbps, 2 Gbps or 5 Gbps inspection
        capacity
    –   Latency <84 µs
    –   WEB and CLI management
    –   Optional ZPHA by-pass with external unit
    –   Redundant AC power supplies
    –   WEB and CLI management
    –   Redundant power supplies
TippingPoint SMS

•   Security Management System
    –   Manages 25 IPS units
    –   As an option – can be delivered in HA and FT
        alternativs
•   Manages all monitoring and updates of IPS
    units
    –   Policy distribution
    –   Distribution of DV filters
    –   Logging and reporting
                     Gartner Network IPS Magic
                     Quadrant
                     challengers                      leaders



                                        Cisco

                                                                      TippingPoint
                                                                IBM       Sourcefire
                                                                 McAfee
ability to execute




                                                          Juniper Networks



                            Top Layer Networks
                                                          Reflex Security
                     DeepNine Technologies
                                      NitroSecurity
                         Radware
                                     StillSecure

                           Enterasys Networks



                      Check Point Software Technologies


                     niche players                    visionaries

                                   completeness of vision

                                                                 As of February 2008
Digital Vaccine Overview
Digital Vaccine Frequently Asked Questions


 Ø   How many filters or filter updates are in a
     typical Digital Vaccine update?
     Ø   10-15
 Ø   How many filter are deployed today?
     Ø   3813 (1139 turned on by default)
     Ø   As of January 2009
     Ø   Approx 140 Spyware filters –covering +3000 different
         versions
 Ø   How many times are Digital Vaccines sent
     out?
     Ø   At least twice a week and more often as needed.
DVLabs Brain Trust

    David Endler                                         Mike Dausin
    Senior Director                                       –   Web Application and Database security
     –   VOIPSA chairman, author of “Hacking VoIP             research expert, speaker at Black Hat
         Exposed”
                                                         Alex Wheeler
                                                         Manager of DVLabs
    Rohit Dhamankar                                       –   Expert in reverse engineering, anti-virus
    Director                                                  vulnerability research, and Black Hat
                                                              frequent presenter
    –  SANS Top 20 Chief Editor, frequent presenter at
       Black Hat and RSA
                                                         Cody Pierce
                                                          –  Responsible for ActiveX fuzzing research,
    Pedram Amini                                             discoverer of numerous vulnerabilities
    Manager of Security Research
     –  Founder of OpenRCE.org, expert on reverse
        engineering, author of “Fuzzing” book
                                                         Ganesh Devarajan
                                                          –  SCADA security expert, quoted frequently
    Rob King                                                 in the press
     –  speaker at Black Hat Briefings, Mac OS X
        Reversing

                                                         Terri Forslof
                                                           –   Formerly program manager at Microsoft
                                                               Security Response Center, presents
    Cameron Hotchkies                                          frequently on underground hacking
     – Web application security expert, author of              activities
       Absinthe Web security scanner
DVLab’s blog give you the latest
security information

•   http://dvlabs.tippingpoint.com/blog
DV Lab’s Microsoft Coverage
in 2008
through January 1, 2009

     Depth of                                         Responsiveness of
     Coverage                                         Coverage




        •   Average response times were calculated only on the vulnerabilities that the
            vendor covered
        •   If an IPS vendor provided protection before a vulnerability was disclosed, this
            accounted for a negative number of days in its response
        •   For example with MS08-069, we provided DV filter protection on 11/11/2008.
            Microsoft patched the issue on 12/09/2008. This is approximately a -28 day
            response for just this one issue.
    Microsoft Coverage in 2008
    out of 140 vulnerabilities


                                                    -30
                                                    days                         120 vulnerabilities
                                                                                      covered
                                                                                 -30 days response
                                                                                        time


              Responsive Shallow                                    Responsive Deep
              Coverage                                              Coverage
                                             74 vulnerabilities
                                                      covered
                                           -16 days response
                                                          time
Responsive




       0                                                                                140
       vulnerabilit                                                                     vulnerabilities
ness




       ies            42 vulnerabilities
                          covered
                                                                  109 vulnerabilities
                      0 days response
                                                                       covered
                            time
                                                                  +3 days response
               Unresponsive Shallow                                      time
                                                                   Unresponsive Deep
               Coverage                                            Coverage



                                                              108 vulnerabilities
                                                              covered
                                                              +26 days response
                                                    +30       time          118 vulnerabilities
                                                    days
                                                                            covered
                                           Breadth of                       +30 days response
                                           Coverage
Case Study


Ø   In January of 2009, Microsoft released one
    bulletin (MS09-001) that fixed three
    vulnerabilities in the SMB protocol.
    TippingPoint was credited with discovering
    all of the remotely executable critical
    vulnerabilities within that bulletin:
    Ø   SMB Buffer Overflow Remote Code Execution
        Vulnerability - CVE-2008-4834
    Ø   SMB Validation Remote Code Execution Vulnerability -
        CVE-2008-4835
Ø   TippingPoint customers received the benefit
    of protection on day 0 when the patches
    were released.
Today’s Threat Landscape




        Network/Serv                          Financially                        Critical
             er                               Motivated                      Infrastructure
         Downtime                               Attacks                          Attacks
          Attacks
    Viru
    sThe  troubled past                   How
                                       Application easy is it toFile       Cyber warfare
                        Troja                                          •
                                                             PHP
                        n
         – is it really                     penetrate your
                                        Specific             Include   •   National, state,
                                        Attacks
         behind us?                     critical applications              local
               Wor
                                          and steal data?
                                                  Spear
                                                  Phishing
                                                                              DDo
                                                                                        S
                                                                           infrastructure
                                                                              S
                                                                           Politically
                                                                                        C
                                                                       •
O/S Specific   m          DDo           SQL                      XS
  Attacks                 S             Injection                S         motivated
                                                                           attacks

 Amateur       Organize   Terrorist,        Rival          Angry /         Outsourced
                                                                                        A
                                                                                        Unethica
 Hacker /
 Criminal
                  d
                Crime
                           Political
                           Activist
                                          Corporati
                                             on
                                                          unethical
                                                         employee or
                                                                             or sub-
                                                                           contracted   D  l
                                                                                        advertis
     Comprehensive Protection

     Vulnerability                            Reconnaissance
      §   ICQ: ISS Protocol Analysis Module    § RPC: Portmap walld Request
          Overflow (Witty Worm)
      §   MS-RPC: LSASS Active Directory         (tcp)
          Interface Overflow
      §   MS-RPC: DCOM Obj. Activation         § Finger: File Retrieval Attempt
          Interf. Buf. Overfl.
                                                 (/etc/passwd)
                                               § DNS: Zone Transfer Request


     Malicious Code (virus, Trojan, etc.)     Protocol Anomaly
      § SMTP: W32/Zafi-D Virus                 § SMTP: Sender: Message Header

        Propagation                              Anomaly (long token)
      § POP/IMAP: MyDoom.Q Virus               § SMB: Overlong SPNEGO Token

        Propagation                              Anomaly
      § Backdoor: SubSeven                     § FTP: Long Directory Name


     Spyware                                     Creation Anomaly
                                              Policy (e-mail attachments, open
      § Spyware: CoolWebSearch                shares, blank/common passwords,
        Installation Attempt                  etc.)
      § Spyware: MarketScore HTTPS             § SMTP: Zip Attachment


        Proxy Connection                         Containing .cmd File
      § Spyware: Cydoor Communication          § IRC: NICK/USER Registration


     P2P, IM, Other rate limiting apps           Request
                                              VoIP
      § P2P: Skype Installed/Update            § MS-SQL: sa Login Failed
                                               § SIP: Contact Field Anomaly

                                               § H.225: Protos Suite Attack
        Request
      § Kazaa: UDP SuperNode Discovery         § SIP: Method Anomaly


        Probe
      § IM: MSN Messenger File


        Transfer/Sharing - Service
     Distributed Denial of Incoming
        Request
      § SYN Flood

      §   Connection per section flood
      §   Teardrop
24
Flexible Deployment Core to
Edge



TippingPoint
Digital Vaccine
Service           Centralized Policy and
                  Configuration Management




                                                                PROTECTS AGAINST
                                                                INTERNAL ATTACKS




                                                   SEGMENTS THE NETWORK TO
                                                   PROTECT AGAINST BOTH
                                                   INTERNAL/EXTERNAL ATTACKS



                                             PROTECTS AGAINST
                                             EXTERNAL ATTACKS
IPS Deployment Network Protection
Beyond a Point Solution – Broad


                                                                                        Protect WAN
       Access           Aggregation                Core      Perimeter                   Perimeter
                                                             (1.5 – 100Mbps)


                                    Protect Core
                                      Network                                             Internet

                                                             DMZ

                                                                                         Protect
                                                                                        Web Servers
                                                                                          & Apps
              Protect                                                Data Center
            Major Zones
                                                                                          Protect
                                                                                         Enterprise
                                                                                          Servers,
                                                                    &i
                                                                      W

                                                                    Linux
                                                                      n
                                                                                        Apps & Data
                                                                    Blade
                                                                      d
                                                                    s o
                                                                      w


                 VPN
                                                                      s



                                           Protect
                                           Remote
                                           Offices                     Shar
                                                                       ed
                                                                               Shared
                                                                               Storag
                                                                       Tape    e




10Mbps – 1Gbps         1Gbps – 10Gbps       1Gbps – 10Gbps   nx1Gbps –
                                                             nx10Gbps
Closing the Gap with
TippingPoint IPS

 PROTECTS:           FROM:
                     • Worms
 • Microsoft
                     • Viruses
    Applications &
                     • Trojans
    Operating
   § High Performance Custom
                     • DDoS Attacks
    Systems
                     • Internal
      Hardware
 • Oracle

                       Attacks
    Applications
   § Highly Advanced • Unauthorized
 • Linux O/S


      Prevention Filters
 • Apple OS X          Access
                     • Spyware
 • VoIP
   § Constant Update    FROM:
 PROTECTS:
                        • Worms/Walk-in
      Protection Service
 • Routers (e.g.

                          Worms
     Cisco IOS)
                        • Viruses
 • Switches


      5 Gbps Throughput
 • § Firewalls (e.g.
                        • Trojans

                        • DDoS Attacks
   § Netscreen,
      Switch-Like Latency
                        • SYN Floods
     CheckPoint FW1)
   § 2M Sessions
 • VoIP
                        • Traffic Anomalies



    250K Sessions/Second
     §

 § Total
 PROTECTS:Flow Inspection
                     FROM:
 § Bandwidth
                      Peer-to-Peer Apps
          Rate Shaping QueuesInstant
    64K Capacity
                        •
 •

 • Server             Unauthorized
                        •

 § 10K Parallel Filters
                      Messaging
 • Missions-Critical
         Traffic        •   Unauthorized
                            Applications
                        •   DDoS Attacks
                          Vaccine®
DVLabs’ Digital provides a Virtual Software
Unmatched Filter Accuracy
Patch


Click icon to add table
   Term              Definition
               Security flaw in a software
Vulnerabilit   program                                        Vulnera
y
               Method that takes advantage
                                                              bility
               of a vulnerability to:
                • Gain unauthorized access                                      False
Exploit         • Create a denial of service                                    Positives
                                                                                (course
                                                           Virtual              filter)
               Covers a single exploit, not
                                                          Software
               the vulnerability                           Patch
                                                          (TippingPoint
                • Typically produced due to
                                                              Filter )
                  IPS engine performance
                  limitations                     Exploit B
Exploit         • Results in missed attacks       (missed by            Expl
Filter            and false positives
                                                  Exploit               oit A
                • Other filters may entirely
                                                  Filter A)
                                                            Standard IPS
                  block service access                      Exploit Filter
                                                            for Exploit A

               Covers the entire
               vulnerability; protecting
                                                  TippingPoint’s vulnerability
Vulnerabilit   against any future possible     filter acts as a Virtual Software
               new exploits. Thereby
y Filter       protecting you from any new
                                                    Patch, eliminating false
               upcoming threats.                            positives
 Required Features of an Intrusion
 Prevention System


         Feature                                           Benefit
Purpose-Built Custom ASIC   Extensible platform, due to FPGA for an unparalleled security and
Hardware                    networking experience. Lowers administration and maintenance worries,
                            during the equipments life time
Switch-Like Latency         20Mb – 5Gb Performance enables scalable solutions for perimeter,
                            internaland Core protection
                            No adverse network impact – delays are in the 100 uS range
In-line Attack Blocking     Effective proactive attack termination. Protects all your unpatched
                            systems
                            Ensures your system availability and performance
Filter Accuracy             Ensures that no ‘good traffic’ gets blocked, no network disruption
                            experienced
Simple Set-up               Immediate security, out of the box; giving a High ROI, Low/No
                            configuration!
Rate Shaping                Reclaims bandwidth and improves network performance
Full Filtering Methods      Proactive accurate and comprehensive attack filtering that
(signature, protocol        provides Zero-day attack protection – ZeroDay Iniative
anomaly, vulnerability,     Protects against all types of attacks, known or unknown!
traffic anomaly)
Comprehensive Security      Advanced protection against a multitude of threats: Spyware, Phishing,
Prevention                  VoIP, P2P, Protocol Anomalies, Behavioral/Traffic Anomalies, Worms,
                            Trojans, DDoS attacks, DDoS SYN Proxy and Connection Rate Limiters,
                            Microsoft Vulnerabilities, etc.
                            Avoids the need for multiple security solutions and thereby provides cost
                            savings
Timely Filter Updates       Frequent updates and prevention (twice-weekly or better) filters against
Hardware use custom built ASIC’s
and FPGA’s



   Segment 1 –                     Segment 1 –
   Ethernet port A                 Ethernet port B




      LCD and                Out-of-Band
      Key pad                Administration
                     Conso      10/100
                     le      Ethernet Port
                     Port
High Availability and Stateful
Network Redundancy

      Intrinsic High                         Stateful Network
      Availability                             Redundancy




 Ø   Dual Hot-Swappable Power      Ø   Stateful Redundancy
     Supplies                           Ø Active-Active
 Ø   Self-Monitoring Watchdog           Ø Active-Passive
     Timers
      Ø Security and Management
                                   Ø   No IP Address or MAC Address
        Engines                    Ø   Transparent to Router Protocols
      Ø L2 switch fallback              Ø HSRP, VRRP, OSPF

 Ø   99.999% Network Reliability   Ø   Allows a MTU of 1548 to pass
                                       fully checked
Distributed Denial of Service Attacks


 •   SYN Flood
      – Spoofed SYN packets floods to Server
      – Floods may be huge (100:1 ratio of bad to good packets)
 •   Established Connection Flood                                  Example: SYN Flood Attack
      – “Bot” armies will flood servers with endless connections
      – “Bot” armies are known to exceed 10,000 machines
 •   Connections Per Second Flood
      – Client connections are ramped up more quickly than a
        server can handle




“DoS attacks are the most expensive computer crime”
Security Management System
Architecture - SMS
Centrally Managed, Distributed
Deployment


 Ø   Security
     Management
     Server Appliance

 Ø   Easy Installation

 Ø   Scalable/Fault
     Tolerant

 Ø   High Availability

 Ø   Enterprise-wide
     policy
     management
      Ø Per segment
        policy
      Ø Port-by-port policy
      Ø Device-by-device
        policy
Operations – SMS Dashboard




                                                         Brief
                                                         description
                                                         of attack




                                    Destination IP
                                    address



                             Application attacks!
                             Last 24 hours (most
                             recent to the right).
                             Double Click to go to the
                             SMS events viewer for
                             this
SMS – Devices – Shelf Level View
Protection filters
System Health Reporting
Bandwidth Management Reports
Daily and Weekly Attack Reporting
… Know who’s attacking what – and when and from where

                                    Date & time   Top 10 Attacks brief
                                    period        description and Pie chart
                                    Selection




               Severity selection
SMS can also create an Executive Report


 Ø   Combines Top Attacks and
     P2P Reports in an easy
     summary.
ThreatLinQ

Proactively Optimize IPS Network Security
TippingPoint’s ThreatLinQ Service


                                    Ø   What is it?
                                        Ø   Security portal that
                                            provides global threat
                                            and IPS filter intelligence
                                            data
                                    Ø   Who is it for?
                                        Ø   TippingPoint IPS
                                            customers through our
                                            TMC customer portal
                                    Ø   Why is it
                                        important?
                                        Ø   Helps customers
                                            optimize their IPS
                                            protection as threats
                                            emerge
TippingPoint’s ThreatLinQ
Real-Time Threat Intelligence
What’s happening outside of your knowledge, right now – “That is in
the wild”
What attacks are going on?




                                          Ø   Real-time monitoring of
                                              malicious threats and
                                              attacks
                                          Ø   View current global
                                              attack activity
                                          Ø   View attack activity by
                                              country
                                          Ø   Watch recent new and
                                              growing threats
                                          Ø   Drill-down to view
                                              detailed threat source
                                              and destination data on
                                              each attack type




 Lighthouse Network
 @TippingPoint
10GbE Solution Overview
    CoreController Key Features


•   IPS cluster per 10GbE interface
•   Throughput Scalability
     •   Scales from 1-6 IPS’s
     •   Add IPS’s as bandwidth
         increases
     •   Allows for a mix of IPS models
•   Redundancy / Failover
     •   Hot Swap XFPs and ZPHAs on
         10GbE interfaces
     •   N+1 redundancy for IPS’s
     •   Hot Swappable PSU
•   Configuration / Traffic Mgmt
     •   Multiple algorithms
     •   Configurable port mapping
     •   Exception rules
TippingPoint Core Controller install
example




3x10G                    Use four
                   IPS
segme                    TP 5000E
              connect
nts                      20 Gbps
                 ed to
                10GbE
             segment                          Double
                                                Core
                           Anslut TP     Controllers
Core
                            5000E        for an even
Controll
                         via gig iLink         better
er
                          för 5 Gbps      redundanc
                              last                  y
                         Add one extra
                         TP 5000E for
       Add a
                             active
       Smart
                          redundancy
       ZPHA
       by-pass
    Thank you…




Robert Seimann
Robert_Seimann@TippingPoint.com
Mobile +46-70-545 3296

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:34
posted:11/7/2011
language:Swedish
pages:48