You are on page 1of 41

NEXT GENERATION NETWORK INSECURITY

Anupam Tiwari
CCCSP,CEH

Ek din bik jayega, Matee ke mol Jag me reh jayenge pyare tere bol

Ek din bik jayega,

Matee ke mol Jag me reh jayenge pyare tere bol AUR..

A Good friend will be at your funeral. The Best friend will miss it because he will be too busy breaking into your house and trying to clean your browser history and all traces!!!!!!

ye bhi delete kar de!!!!!

NEXT GENERATION NETWORK INSECURITY


Mostly OverEstimated / UnderEstimated

CUTTING THROUGH THE HYPE : WHAT IS TRUE NEXT

GENERATION SECURITY ?

.the number of transistors on IC doubles approx every 18 months!!!

Why is Securing the IT Environment getting DIFFICULT by day?

LETS GET BACK BY FEW YEARS!!!!


When securing the IT environment was easier than it is today.

LETS GET BACK BY FEW YEARS!!!!

Basic information such as the

users locations,

applications they were running and the types of devices they were using were
known variables.

LETS GET BACK BY FEW YEARS!!!!

information was fairly static, so security


In addition, this

policies scaled reasonably well

LETS GET BACK BY FEW YEARS!!!!

Applications ran on the data center

dedicated servers

in

LETS GET BACK BY FEW YEARS!!!!

IT organization controlled access to those applications and established boundaries to enforce security policies
The

LETS GET BACK BY FEW YEARS!!!!

for the most partthe network experienced

predictable traffic patterns

TOUCHING MOMENT

HAPPY CISO!!!!!!

Changing the way the network is Architected

Applications/Data may move between servers or even data centers or countries

Multiple diverse mobile devices connect to the corporate


network from various locations

At the same time, users are

network by going to the cloud for


extending the corporate collaborative applications like Dropbox or Google

IT no

longer knows which devices may connect to the


network or their location.

Data isnt just safely resting in the

data center; it

is traversing the countries.

BOTNETS

A botnet is a collection of internetconnected programs

communicating with other similar programs in order to


perform tasks.

40% of the computers are Botted

So all this along with these two

Current Giants make


a great

Attack Surface

CRIMEWARE as a SERVICE

PRISM is a mass electronic surveillance data mining program known to have


been operated by the United States National Security Agency (NSA) since 2007

The Central Monitoring System is a mass

electronic surveillance program installed by C-DOT, an Indian Government owned agency.

The CMS gives India's security agencies and income tax


officials centralized

access to India's telecommunications network and the ability to listen in on & record mobile landline and satellite calls and ) , and read
private emails, SMS and MMS and track the geographical

location of individuals, all

in real time.

Identify and control Applications on any Port

Application developers no longer adhere to standard port, protocol, or application mapping.


Applications such as instant messaging, peer-to-peer file sharing or Voice over IP are capable of operating on non-standard ports or can hop ports. Additionally, users are increasingly savvy enough to force applications to run over non-standard ports. In order to enforce application specific policies where ports are increasingly irrelevant, the next gen future firewall must assume that any application can run on any port.
future firewall must classify traffic, by application, on all portsall the time.

Most organizations have security Policies and controls designed to enforce security policies. Proxies, remote access, and encrypted tunnel applications are specifically used to circumvent security controls like firewalls, URL filtering, IPS, and secure web gateways.

Firewall must identify and control

circumventors

The future firewall requires specific techniques to deal with all of these applications, regardless of port, protocol, encryption, or other evasive tactic. One more consideration: these applications are regularly updated to make them harder to detect and control. So it is important the future firewall can identify these circumvention applications , and will also ensure that your firewalls application intelligence is updated and maintained on an ongoing basis.

Decrypt
outbound SSL

Today, more than 30% of network traffic is SSL-encrypted

Given the increasing adoption of HTTPS for many popular applications that end-users employ (e.g., Gmail, Facebook), and users ability to force SSL on many websites, network security teams have a large and growing blind spot without decrypting, classifying, controlling, and scanning SSL-encrypted traffic. Certainly, the future firewall must be flexible enough that certain types of SSL-encrypted traffic can be left alone (e.g., web traffic from financial services or health care organizations) while other types (e.g., SSL on nonstandard ports, HTTPS from unclassified websites can be decrypted via policy.

Enterprises continue to adopt collaborative applications hosted outside their physical locations.

Scan for viruses and malware in


allowed

Microsoft SharePoint, Google Docs, Box.net or Microsoft Office 365, or an extranet application hosted by a contractor or business partner,

collaborative
applications

These applications are considered to be a high-risk threat vector Furthermore, applications like Microsoft SharePoint rely on supporting technologies that are regular targets for exploits including Microsoft SQL Server or IIS.

Deal with unknown traffic by policy

There will always be unknown traffic and it will always represent significant risks to any organization.

The future firewall should attempt to classify all traffic.

Positive (default deny) vs Negative (default allow )

For custom developed applications, there should be a way to develop a custom identifier so that traffic is counted as known.

Identify and control applications sharing the same connection

Applications share sessions.

Gmail which has the ability to spawn a Google Talk session from within the Gmail session. Gmail and Google Talk are fundamentally different applications, and your future firewall should recognize that, and enable the appropriate policy response for each.

WHAT DO WE DO TODAY?
NO TWO ORG or USERS CAN HAVE SAME MODEL OF SECURITY IMPLEMENTATION

THE NEED IS CUSTOMISED FOR EVERYONE

MODEL

Know EAL of your product TAKE CONTROLLED RISK

KEEP YOUR

EYES OPEN

Cryptography

Stringent Security Policies

Monitoring tools

Analysis tools Firewalls/ UTMs

Contact me at : anupamtiwari@fedoraproject.org
I blog at http://anupriti.blogspot.com