校園網路資訊安全威脅與應用技術探討 陳家慶 (Jacob Chen) 886-2-87860968# 11 Enterprises, Small/Medium Sized Businesses (SMBs) and enterprise branch offices need network protection that’s complete, manageable, and affordable. But the marketplace is crowded with undifferentiated “me-too” products based on old technologies and architectures. Fortinet’s FortiGate solutions are a new generation of ASIC-based network protection systems that provide capabilities and price/performance unmatched by any competing systems. They provide Enterprises and SMBs with a full range of application-layer and network-layer security, with real-time performance, in cost-effective platforms that can be installed and managed easily. Qualified distributors and resellers have an outstanding opportunity to open new accounts, increase sales to existing accounts, and raise margins through a partnership with Fortinet. 陳家慶 (Jacob Chen) 886-2-87860968# 11
Agenda 網路安全潛在威脅分析 15min (網路病毒,蠕蟲,攻擊,垃圾郵件,p2p...) 校園網路安全解決方案與管理分析 20min Case study 15min Break 10min 內容安全管理與展示 60min Config Practice 20min
資訊網路潛在威脅之探討分析
Customer Needs The limitations of conventional systems are not lost on users. In a recent study, nearly all respondents reported that they wanted to see new functions integrated into their firewalls – especially anti-virus, intrusion detection, and content fltering. Firewalls alone are not enough – users want new, integrated capabilities Source: Infonetics Research
The Nature of Threats Has Evolved… Major Pain Points for Organizations of all Types CONTENT-BASED Anti-spam Spam Banned Content Content Filter Worms Anti- virus Trojans SPEED, DAMAGE ($) In the early days of computing, the biggest security concern was that someone was going to physically walk off with a disk pack or set of tapes. As networks became popular, both within and between organizations, it became possible for attackers to enter networks from outside, and to use CONNECTION-BASED attacks to reach and compromise private data and programs. Today, the most damaging and fast-moving threats are CONTENT-BASED. Content-based attacks don’t require sustained connections in order to do damage. Once a virus or worm has been inserted into a computer, it can act on its own and spread without a connection to the attacker. The big challenge with content-based threats is that they are almost always delivered using connections that are inherently trusted – like email and Web traffic. In addition, content-based attacks don’t discriminate between different types of companies – they usually are spread automatically without regard for the size of a company or the value of their data. This means that every company is at risk. The same phenomenon is true of other types of content threats including inappropriate Web content or email spam. The costs to businesses of these threats is huge – estimated at over $10 billion annually – and growing rapidly. Think of what the last virus attack cost your business! Viruses IDS CONNECTION-BASED VPN Firewall Intrusions Lock & Key PHYSICAL Hardware Theft 1970 1980 1990 2000
The “Content Processing Barrier” is the Challenge to Network Protection Exceeds the capabilities of available network devices Processing Power Required Network-Level Services Application-Level Services Virus/Worm Detection Content Filtering The Content Processing Barrier is the fundamental reason why conventional networking systems can’t handle application-level functions like virus scanning and content filtering at network speeds. Compared with FW, VPN, and even IDS processing, application level processing requires hundreds of times more processing power per packet. That’s the content processing barrier. CONTENT PROCESSING BARRIER IDS Supported by today’s network edge devices VPN Firewall
Conventional Solutions Can’t Keep Up with Real-Time Communications 25%+ of virus infections delivered via Web traffic* (vs. email) Software AV scanning is too slow for Web traffic Need for speed keeps increasing: Email -> Web -> Instant Messaging -> ??? Conventional Firewall and AV Products Are Behind- A New Approach is Needed *Yankee Group
Conventional/Single Point Security Solution Do Not Solve these Problems Hacker Spam If it is sasser,then Viruses, worms Mail Server Intrusions Banned content If you ask 100 people what they use to protect their network, close to 100 will answer “a firewall.” But what do firewalls really protect against. They don’t stop the attacks that do the most damage – malicious emails, viruses & worms, intrusions, & banned content pass right through The reason is that firewall technology was designed nearly a decade ago, when networks (and security threats) were much simpler. Firewalls only look at the headers of packets (i.e. the to and from addresses on the envelopes) to decide if a packet is OK. But the damage from today’s threats comes from the contents carried by the packets – and firewalls don’t look inside. Do Not Examine The Content of Data Packets – Threats Pass Through www.find_a new job.com www.free music.com www.pornography.com
Many Conventional Products are Needed for a “Complete” Solution Email Filtering Software Hacker Malicious email Anti-Virus Software Viruses, worms SPAM IDS/IPS Intrusions VPN Banned content As a result of the limitations of conventional firewalls and point security products, those who want complete network protection are forced to buy a lot of expensive equipment, integrate it together, and use a lot of skilled staff t keep it running. The investment required t do this exceeds the budgets of many, many organizations. Some vendors call this approach a “best of breed” solution. Its isn’t clear what’s best about this approach. Web Content Filtering Software www.find_a new job.com www.free music.com www.pornography.com
校園網路安全解決方案與管理分析
Many Conventional Products are Needed for a “Complete” Solution Email Filtering Software Hacker Malicious email Anti-Virus Software Viruses, worms SPAM IDS/IPS Intrusions VPN Banned content As a result of the limitations of conventional firewalls and point security products, those who want complete network protection are forced to buy a lot of expensive equipment, integrate it together, and use a lot of skilled staff t keep it running. The investment required t do this exceeds the budgets of many, many organizations. Some vendors call this approach a “best of breed” solution. Its isn’t clear what’s best about this approach. Web Content Filtering Software www.find_a new job.com www.free music.com www.pornography.com
防火牆 Apply firewall policies to VPN tunnels 防火牆(Firewall),架構在網路層(Network Layer)與傳輸層(Transfer layer),並可依據管理層面來看待封包,也就是傳送的方向。透過Firewall管理,並將網路位置(IP Address)、網路服務(TCP/UDP Port Number)、方向(Direction),三者排列組合成綿密的安全網。 高效能 擁有ICSA認證 提供NAT, Route和 Transparent模式 提供H.323 NAT功能 Policy-based 提供群組LDAP和Radius認證機制 提供WAN failover機制 提供超過 40種的標準協定或用戶自行定義的服務管控 e.g. Telnet, realaudio, FTP, GRE, Oracle*8 etc. 管理與控制 DHCP Relay與WINS 可統一管理防毒防火牆與VPN Apply firewall policies to VPN tunnels Apply AV and content filtering as part of firewall policies
Firewalls Don’t Analyze Contents so they Miss Content Attacks DATA PACKETS STATEFUL INSPECTION FIREWALL Inspects packet headers only – i.e. looks at the envelope, but not at what’s contained inside OK http://www.freesurf.com/downloads/Gettysburg Four score and BAD CONTENT our forefathers brou OK OK ght forth upon this continent a new nation, OK n liberty, and dedicated to the proposition that all Header Mac Address Source IP Destination IP Protocol Port PAYLOAD Packet “headers” (TO, FROM, TYPE OF DATA, etc.) Packet “payload” (data) Not Scanned CONFIDENTIAL
Firewall Policy for VLAN, Zone and Interfaces/Ports Zone must contain VLAN and/or Interfaces/Ports before to be used in policy Must have “Address” assigned to the VLAN, Zone, or Interfaces/Ports before creating policy Use Content Profiles to provide different restriction to various group of IP Addresses. Creating Content Profile first before creating policy Services/ports for VPN Traffic Shaping – token bucket
Firewall - VLAN Firewall policy can be applied for Interface, Zone, VLAN, and 2nd IP of the Interface Must have “address” defined first within the Firewall Section
Firewall – 2nd IP LAN Address
Firewall – VLAN Address
Content Profiles First enable each profile AV scanning/blocking, quarantining, and Web/Email filtering ..etc. Then each profile can be assigned with per Firewall Policy basis Provides flexibility of different requirement and access restriction for various groups. Can be applied to all supported protocols (HTTP, FTP, SMTP, POP3, IMAP)
統合政策管理 可針對不同User需求機動調整內容作為網路規範
Policy Base Protection Profile 可針對單一政策制定網路使用規範
Antivirus 感染管道 效能需求 Policy-based 快速的威脅反制 Local Lan (網路芳鄰, 作業系統本身漏洞) Http, FTP, Imap, Pop3, Smtp 免費軟體, 檔案分享, 免費註冊碼 效能需求 ASIC-based的防毒解決方案 ICSA認證通過的硬體式防毒閘道器 Policy-based 病毒掃描 完整包含世界上的病毒碼資料庫 可隔離中毒或已感染的檔案並可針對過大的檔案進行阻擋 快速的威脅反制 由Threat Response Team 和 FortiResponse提供威脅反制 可自動更新病毒碼與入侵偵測的特徵 The world’s only ASIC-based antivirus solution Automatic push updates for AV and NIDS definition databases First and only ICSA-certified, hardware-based AV gateway Policy-based virus scanning Scans all email traffic (SMTP, POP3, IMAP) Scans all Web (HTTP) content, downloads, and web mail; support for non-standard port HTTP traffic scanning (2.5) Scans all FTP traffic (new in 2.5 – does not require H/W upgrade) Decrypts & scans encrypted VPN tunnels for viruses and worms Scans encrypted Microsoft Macro files Able to scan through 12 levels of compression; LZH compression added in 2.5 Full coverage of the industry standard WildList viruses Including polymorphic viruses Quarantine of infected and suspicious files & blocking of oversized (user definable) files (added in 2.5) Updated by Threat Response Team & FortiResponse™Distribution Network Joe Wells, leading AV guru, Chief Antivirus Architect
Msblast 以疾風病毒(Msblast)的感染為例,Mablast會常駐於受感染的機器的記憶體內,同時病毒會以大約每秒20個IP位址的速度,來隨機找到下一個可能的受害機器,一但受到感染Msblast會打開系統的port 4444和port 69並企圖連接其他機器的TCP port 135一但成功找到目標進入系統之內,他會利用微軟已知在DCOM(Distributed Component Object Model) RPC(Remote Procedure Call)的漏洞,讓駭客得以使用TFTP(trivial ftp)工具下載自己本身到受害的機器上,複製在windows\system32的檔案下面,而受害機器可能會出現RPC服務意外終止的倒數60秒重新啟動的訊息,造成系統不斷的重新開機,而且在16日病毒會發作讓所有受感染的機器在同一天發動DOS(Denial of Service)攻擊微軟的更新網站(windowsupdate.com)企圖癱瘓該網站的運作。 當時全球估計有上百萬台機器受到感染,讓許多資訊人員忙著更新每一台微軟作業系統的修正程式,忙著接聽受害電腦使用者的電話
Some Firewalls Claim to do “Deep Packet Inspection” – But They Still Miss a Lot Performs a packet-by-packet inspection of contents – but can easily miss complex attacks that span multiple packets Undetected OK http://www.freesurf.com/downloads/Gettysburg Four score and BAD CONTENT our forefathers brou ! Basic packet processing, which is what firewalls do, won’t detect the key threats. Some vendors talk about doing “packet-level” scanning for viruses and worms, but that makes no sense! There’s no reason to believe that a virus will be contained completely within one packet – it will probably be chopped up and spread across multiple packets. Simply looking at the network-level contents of a single packet won’t catch most threats. The only way to effectively do network-based scanning for viruses and banned content is to first re-assemble the packets back into the original APPLICATION-level objects from which they were derived – i.e. the files, programs, etc. THEN, once the original content has been re-created, you can scan it for viruses, worms, bad URLs, bad words, etc. But conventional network devices can’t do this. OK ght forth upon this continent a new nation, OK n liberty, and dedicated to the proposition that all CONFIDENTIAL
Network-Level Processing is Not Enough FIREWALL Inspects packet headers only – passes “valid” packets with banned content and attacks URL FILTER Stops blacklisted URLS, but may miss BANNED WORDS embedded in content NETWORK-LEVEL CONTENT (PACKETS) http://www.freesurf.com/downloads/Gettysburg Four score and seven years ago our forefathers brou PACKET-BASED VIRUS SCAN May miss attacks that spam multiple packets ght forth upon this BANNED WORDS a new nation, n liberty, and dedicated to the proposition that all APPLICATION-LEVEL CONTENT PROCESSING Basic packet processing, which is what firewalls do, won’t detect the key threats. Some vendors talk about doing “packet-level” scanning for viruses and worms, but that makes no sense! There’s no reason to believe that a virus will be contained completely within one packet – it will probably be chopped up and spread across multiple packets. Simply looking at the network-level contents of a single packet won’t catch most threats. The only way to effectively do network-based scanning for viruses and banned content is to first re-assemble the packets back into the original APPLICATION-level objects from which they were derived – i.e. the files, programs, etc. THEN, once the original content has been re-created, you can scan it for viruses, worms, bad URLs, bad words, etc. But conventional network devices can’t do this. 1. Reassemble packets into content 2. Compare against disallowed content and attack lists BAD CONTENT BANNED WORDS NASTY THINGS NASTIER THINGS DISALLOWED CONTENT Four score and seven years ago our forefathers brought forth upon this BANNED WORDS a new liberty, and dedicated to the proposition that all… ATTACK SIGNATURES
Virus Everywhere
WildList Wild viruses 被定義為在最近與過去幾年內曾經感染散佈電腦病毒,. 當如此的病毒被發現它們都會正式被揭露在”the WildList Organization International” ,同時每個月會發表一份WildList 的報告,揭露自1993年以來曾經感染散佈的電腦病毒 而這些病毒才是真正需要被視為威脅需要被隔離的病毒。 為了能夠全面防毒 ,全球有超過55家具有資格的防毒公司,都是該組織的成員具有通報以及提供病毒樣本的義務,用全球的力量來阻擋病毒的散佈。
Network Anti-Virus NAV系統應該具有封閉性。安全而不能被病毒或駭客攻擊系統本身。 NAV必須要能在硬體ASIC上來解決此一問題。 封包處理的引擎: 能夠處理封包的表頭,同時加速辨證應用層的資料流為哪一個封包? Signature掃描引擎:重組封包的payloads內容流(content streams) 在系統記憶體上, 同時載入適當的病毒碼直接比對。
FortiProtection Center Web Portal & email Bulletins World-Wide based Real time Update Center Ensure Rapid Response to New Threats Fortinet Threat Response Team and Update Distribution Servers FortiProtection Center Web Portal & email Bulletins Automatic Updates Can Reach All FortiGate Units Worldwide in Under 5 Minutes
Virus List
Virus Detection Protocols are handled differently when a virus is detected. IMAP and POP3 Attachment removal with customizable message HTTP Page replaced with a custom page FTP and SMTP In-session error
Command Triggers Within each protocol, specific commands trigger antivirus inspection IMAP FETCH HTTP GET POST FTP RETR PUT SMTP BDAT (but not with multiple chunks) DATA POP3
Splicing Session splicing is used when traffic is being scanned for viruses Virus Detected Splicing Enabled Splicing Disabled SMTP Stops SMTP transfer Error message to sender Attachment removed Message to recipient FTP Upload Buffers file for scanning and uploads to FTP server Stops FTP transfer Attempts to delete partially uploaded file Buffers file for scanning before upload If “clean,” uploads to server
Quarantining Files FortiGate units with hard disks can be configured to quarantine blocked or infected files The quarantined files are removed from the content stream and stored on the FortiGate hard disk Users receive a message informing them that the removed files have been quarantined
Quarantine List The quarantine list can be sorted and filtered for ease of use Suspicious files can be uploaded to Fortinet for analysis
AutoUpload Suspicious files can be sent to Fortinet automatically for analysis New files and patterns can be added to the list
Quarantine Options Configure the FortiGate unit to handle quarantined files
Non-standard Ports Antivirus scanning can be configured to recognize application traffic on non-standard service ports This can be used for customized services and is useful with HTTP proxies and caching config antivirus service smtp set port <port_integer> end
File Blocking By default, when file blocking is enabled, the Fortigate unit blocks the following file types: executables (.bat, .com, .exe) compressed/archive (.gz, .rar, .tar, .tgz, .zip) dlls HTML applications (.hta) Microsoft Office (.doc) Microsoft Works (.wps) Visual basic (.vb?) screen savers (.scr) Windows information (.pif) File blocking is performed before antivirus scanning and is not application-aware
File Block
Oversized File Blocking The FortiGate unit to buffer 1 to 15 percent of available memory to store oversized files and email Files and email that exceed this limit are blocked by the Fortigate unit rather than bypassing antivirus scanning A replacement message is sent to the HTTP or email proxy client.
Fragmented Email FortiGate units cannot scan fragmented email for viruses or use pattern blocking to remove restricted files For security, do not enable Pass Fragmented Emails in protection profiles For added security, disable the fragmenting of email messages in the client email software
入侵偵測/預防 高效能 提供較完整的攻擊特徵 異常流量與協定的預防與主動式阻絕 客制化 不影響效能的網路監控 NIDS 可同時支援多個網段流量 提供較完整的攻擊特徵 包含 1,400個已知型攻擊特徵 支援用戶自行定義的攻擊特徵 Signature-based attack recognition 異常流量與協定的預防與主動式阻絕 提供34種的攻擊特徵 客制化 用戶自行定義攻擊名單 郵件警示通知
IDS & IPS 入侵偵防系統具備兩項功能,一是入侵偵測(IDS), 另一是入侵防禦(IPS)。 IPS提供下列功能: 監視與分析使用者及系統行為 審視網路系統設定和網路弱點 針對重要的系統或是資料進行評估保護 統計分析不正常的行為內容 對於異常行為者予以追蹤記錄 辨識正常行為並拒絕已知攻擊 防禦機制: Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Pass Session, Clear Session
Internet Message and P2P
容易設定的IDS 提供用戶自行定義的攻擊特徵 近 1,400種的攻擊特徵 可依不同攻擊屬性將特徵分類與易於管理 超過34種的攻擊模式 客制化 紀錄檔與警示
NIPS Signatures
Intrusion Detection - Signature List Group
Intrusion Prevention – Default Setting Default is disabling “Source Session”, “UDP Source Session”, “ICMP Source Session”, “ICMP Fragment”, “IP record routing”, “IP strict/loose source record routing”, “IP stream/security/timestamp option”, “IP fragment”, “IP Land attack”
Intrusion Prevention – Synflood Setting Synflood attack, if received SYN request > 200/sec Send to proxy, if proxy connection > 1024 Discard SYN request Each Proxy would only stay in the table for 15 sec.
IPS Signatures
內容過濾產品大致可區分成網頁過濾、電子郵件過濾及即時傳訊等3大塊。 提供自然語言過濾機制 URL Blocking, 關鍵字與句子過濾 阻絕惡意ActiveX, Java applets, cookies 郵件過濾 可支援其他廠牌的黑名單 Native content filtering (uses “free” blacklists) URL Blocking, Keyword or phrase blocking Policy and content profile-based filtering Profiles consolidate filtering policies for AV, Web, etc (new in 2.5) Selectively scan, block or allow different content types for different users & groups Blocks ActiveX, Java applets, and cookies Enables CIPA compliance for US primary/secondary schools Email filtering: Subject lines of incoming messages can be tagged based on matching user-defined sender blacklist or keyword/phrase list Enables easy sorting by any email client
Web Content Filter URL Blocking, 關鍵字與句子過濾 阻絕惡意ActiveX, Java applets, cookies
垃圾郵件 垃圾郵件的防範和管理,已然成為網路資訊安全的一個新興且重要的課題。根據Ferris Research.的市場研究調查指出:垃圾郵件不僅僅造成每年歐、美企業分別造成89億及25億美元的損失,同時也讓電信服務供應商耗損5億美元的資源。結果超過74%的受訪者認為”處理垃圾郵件很浪費時間”,另外受訪者之中也有高達66.6%深怕經由垃圾郵件的傳遞導致電腦中毒,經由這些數據顯示垃圾郵件已成為企業、員工以及MIS人員的夢魘。
郵件表頭分析檢查-- 越來越多的電子郵件是以HTML的形式呈現 二,他會直接寄出設有陷阱的 HTML 電子郵件,利用收件者電腦上的IE執行附件檔案,直接感染使用者的電腦。而最具知名度的就是Win32.Nimda(又名W32/Nimda@MM)是一種利用已知Internet Explorer和IIS系統的漏洞來進行傳播的Internet 蠕蟲。它也像檔案型病毒那樣可以感染Win32可執行檔和以html, htm, asp 為副檔名的文件。
人工智慧型 與 圖形識別技術 人工智慧型比對及分類,目前市面上的專業級的產品,也相繼的利用近年來相當熱門的資料採礦 (Data Mining)技術,運用多樣化機率統計的智慧分類模型,例如:貝氏機率(Bayesian)、模糊邏輯(Fuzzy Logic)、類神經網路 (Neuro Network)等等技術 圖形識別技術,既然已談到人工智慧的方法,我們再提另外一個。由於以上的方法均僅止於文字模式的辨識 或分類,但近來垃圾郵件為了因應以上幾種常用的防堵方式,並且可輕易的逃過傳統的過濾條件。越來越多的垃圾郵件將文字以圖檔的方式呈現,因此坊間一些產品便標榜可透過OCR方式找出文字經由特徴值比對,垃圾郵件一樣無所遁形。更有的甚至強調利用人工智慧的圖形識別理論可利用色澤追踪,發現色情圖片的夾檔。
Once identified, the mail can then be: 垃圾郵件 Uses a wide variety of local and network tests to identify spam signatures IP address RBL & ORDBL Email address MIME headers Banned word Once identified, the mail can then be: Tagged as spam for later filtering using the user's own mail user-agent application Enables easy sorting by any email client Or rejected (SMTP) Apply firewall policies to VPN tunnels Apply AV and content filtering as part of firewall policies
Spam Filter
Email Filter
頻寬管理 QoS 有效利用與分配網路頻寬 Policy-based頻寬管理 保障頻寬(Kbyte/每秒) Apply firewall policies to VPN tunnels Apply AV and content filtering as part of firewall policies
Traffic Shaping Guaranteed Bandwidth Maximum Bandwidth You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service. Maximum Bandwidth You can also use traffic shaping to limit the amount of bandwidth available through the firewall for a policy. Limit bandwidth to keep less important services from using bandwidth needed for more important services. Traffic Priority Select High, Medium, or Low. Select Traffic Priority so that the FortiWiFi unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections.
VPN VPN支援 支援加密方式DES,3DES,AES 通道PPTP、L2TP、IPSec IKE Certificate Authentication(X.509) IPSec NAT Traversal Dynamic DNS host names for VPN tunnels IPSec in Transparent mode DHCP over IPSec AntiVirus for VPN tunnel Apply firewall policies to VPN tunnels Apply AV and content filtering as part of firewall policies
VPN Can now select individual service/port via “Encrypt” within Firewall Policy IPSec now supports AES encryption with 128, 196, or 256 bit strength Provide certificate support for all IPSec, PPTP, & L2TP tunnels Can import certificates from a CA or can generate internally New advanced features in IPSec with Xauth, Dead Peer Detection, and Peer ID options HA support for VPN fail-over
IPSec VPN Services
IPSec VPN Advanced Options
VPN Services selection
網路安全應用趨勢與技術探討 Confidential
Best of Breed Gateway Antivirus, And a Compelling All-In-One Solution Mobile Worker Enterprise HQ/Data Center IDS VPN Remote VPN Client Or Wireless Users Small Office/ Telecommuter MSSP Antivirus* *”Transparent Mode” Best of Breed Content Security Gateway Antivirus Content Filtering All-in-One Solution Antivirus Content Filtering Firewall VPN NIDS/IDP Branch Office
Administrative System Networked PC w/ IP Phone 網路安全架構圖 Server Farm Internet Internet Routers 45 Mb 10 Mb Core Network ISDN Videoconferencing Administrative System Second Computer Room DMZ Campus Email Servers FTP Servers DNS Servers IP Phone System PSTN Dormitory Networked PC DHCP Client Networked PC w/ IP Phone Departmental VLAN Modem Pool Server Farm 網安閘道-HA 骨幹高速網安閘道器- HA 部門網安閘道器
High-Availability Solution For Mission Critical Applications Router Switch Firewall Switch Internet/ Intranet Users Connect one (or more) of the real servers to one switch and some to the other switch. This way if one of the switches dies you will still have access to one or more of the real servers. Run HSRP on the Routers connected to the internet. The LocalDirectors do not load balance between themselves. Only one LocalDirector is active at any one time. During LD failover you will loose the current connections. Currently LD does not support statefull failover. Router A e0: 10.0.0.2, e1: 10.0.0.4 Router B e0: 10.0.0.3, e1: 10.0.0.5 No single point of failure Ideal for mission-critical application Identifies failed servers and applications and redirects around them
FORTINET–高可靠網路安全建議架構圖 High Availability Network Archietecture Router 1 Router 2 GE Trunk DMZ (server farm) Switch A1 Switch A2 H.A. FGT 3000 FGT 3000 GE Trunk Switch B2 Switch B1 V1~V10 V1~V10 v1 v10 v10 v1 Group1 ………………….. Group10
A Complete Solution for the Educational Network Internet Intranet / Extranet 2 FG3600, provides Antivirus, IDS/IDP and Firewall protection, and traffic shaping functionality for dorms Backbone 1 FG5020X2, HA adds Antivirus & IDS/IDP protection at Internet as transparent mode behind existing firewall 2 分校 DMZ 3 TS 1 系所 3 FG3600X2, HA adds Antivirus, IDS/IDP protection to exisiting firewall for OA services Labs 5 宿網 5 Core Network Data Center 4 FG5020X2 HA add Antivirus, IDS/IDP as transparent mode behind existing Firewall 4 FG3000X2, HA provides in-line firewall, Antivirus, IDS/IDP , Firewall functionality to data center 6 FortiClient Protect User PC and workstation
Differentiated Technology Solution Fortinet provides the only complete solution to effectively address the new enterprise security threats
Centralized Management
Centralized Management Security Service Management - Central Management Complete turnkey management solution Policy Manager Create Policies for multiple devices and groups Create Content Profiles for multiple devices Realtime Monitor System Health, Device Status, Session Monitor, Traffic Flow, Anti-Virus, Attack, Alert Notification Device Manager Model – create offline devices and configs, check differences Log Viewer Object Manager Admin Manager - Role Based Administration Server Manager
FortiManager System Supports Large Deployments FortiManager Admin Consoles Java based admin console(s) Powerful, easy to use Multiple administrators with role-based privileges Security hardened, plug & play appliance Scale to thousands of FortiGate units Centralized configuration, logging, monitoring Corba interface for OSS/BSS integration FortiManager Server (Appliance) FortiGate AV Firewalls under Mgmt. Independent management domains Supports departmental and/or regional management
FortiManager 2.80 Components SMS Security Management System NMS Network Management System EMS Element Management System Log Monitor Real time Log Historical Log Schedule Log back up Real time System AV + NID Monitor Policy Manager Device Configuration Access Rule System config NIDS
Device Manager
Policy Manager
FortiManager 2.8 Architecture Relational DB Central Management Platform Rack Mountable Easy deployment Management Console Java app Multiple Administers Database Hooks Historical storage FortiGate Antivirus Firewalls Multiple platforms Multiple functionalities
Reporter
Without FirewallAnalyzer Good news is that Firewalls stream all activity in Syslog Messages. Syslog Servers capture this info into log files. But finding valuable information in Firewall log files which contain huge amounts of cryptic information is not easy.
FortirReporter FortiReporter Apply firewall policies to VPN tunnels 圖表化報表介面 專業Fortinet全系列Firewall Log解析 簡易圖形化Web遠端管理介面 多樣化網路流量報表 入侵偵測分析報表 防毒報表 網站過濾報表 郵件過濾報表 報表配送 多台Fortinet Firewall Log支援 可轉存Raw Log 自由報表查詢區間模式 Apply firewall policies to VPN tunnels Apply AV and content filtering as part of firewall policies
FirewallAnalyzer – Instant Reporting
FirewallAnalyzer – Drill Down
FirewallAnalyzer – Top Viruses Blocked by Day
FirewallAnalyzer - Features Auto-discovery of Firewalls – FirewallAnalyzer automatically recognizes all configured firewalls. Advanced Log Data Collection, Data Update and Management – Automatically recognizes & Collects log data; Saves significant disk space and network bandwidth. Policy-Based Data Update – Allows for automatic transfer of delta log files and updates the data into a central repository. Scalable and Comprehensive Data Management - Patent pending FScale™ data management allows efficient processing, management and optimal storing of large amounts of current and historical log data from 100s of firewalls. Intelligent Data Correlation – Combines and Correlates variety of data from all firewalls. Rules-Based Alerts – Automatically sends alerts based on user defined thresholds. Executive Dash Board – Provides summary of activity across firewalls, while giving the drill down option. Role Based Access – Limits what each user can view based on their role and firewalls. Managed Security Service Providers (MSSP) Support – offer value-added reporting service to using Reporting Portal, and allows each customer to view only their firewall data.
FirewallAnalyzer - Features Easy to Understand Reports – generates easy to understand and interpret graphical, tabular reports. Automated Report Generation & Distribution –generates over 300 reports with an easy mechanism to e-mail reports automatically to multiple recipient. Multiple Report Formats – reports in Instant Reports, HTML, MS Word, MS Excel, Text and PDF Automated Syslog Collection – from Firewall and VPN appliances. Multiple Firewall Vendor Support – supports all leading firewalls appliances and servers Instant Reports with Powerful Drill Down – generates reports in real time without having to wait for the processing of log files. Powerful drill down feature displays 2nd and 3rd level details with a single click. Reduced Network Traffic – reduces network traffic between syslog server and FirewallAnalyzer by using delta log files in compressed format. Archiving – save disk space by archiving processed log files.
High-Availability
高可用性High Availability Active-Active Active Passive 透通(transparent mode)模式下提供HA機制 封包導送方式: None, Hub, Least-Connection, Round-Robin, Weighted-RoundRobin, Random, IP, IP Port FW與VPN可於3秒內提供轉換 HA 警示 Failover啟動後將會主動透過SNMP機制發訊息給MIS並會進行紀錄 FGCP (FortiGate Clustering Protocol) supports both Active-Passive and Active-Active configurations through layer 2 switch Active-Active clustering of up to 8 FG units provides both stateful failover and effective load balancing to enhance system performance (2.5) 6 load balancing algorithms supported Round robin, least connections, etc.
Firewall Management
內建的管理功能 SNMP – Simple Network Management Protocol SSH – Secure Shell CLI – Command-line Interface Web GUI – Web Graphical User Interface A “killer app”! Security through SSL
即時監控畫面
個人使用者如何防範網路威脅 Confidential
個人電腦防護需求 AV protection Personal Firewall Host IDS Anti-virus/Anti-spam Anti-spyware/Anti-Trojan Personal Firewall Host IDS Windows Registry alerts Large scale policy management Centralized policy management VPN IPSec client for secure connectivity
Active Port
Case Study Confidential
Data Center Security Option 1: Conventional Point Solutions Check Point Firewall-1 on Nokia IP 740 Firewall Intrusion Detection Tipping Point UnityOne-400 Server Server Trend Micro antivirus software (10,000 user license) on 4 Dell servers Server Server Data Center
Data Center Security Option 2: FortiGate 3600 System FortiGate 3600 extends existing perimeter security architecture for one or more of the following functions Firewall Gateway Antivirus Transparent-mode Firewall Intrusion Detection and Prevention VPN connectivity Content Filtering Traffic Shaping Data Center
Acquisition / First Year Costs Technology FortiGate 3600 Point Solutions Firewall $30,000 $70,000 Antivirus Included NIDS/IDP $43,000 Acquisition Cost $183,000 Services (Maintenance, Subscriptions, Support) $15,000 (est.) $50,000 (est.) Personnel cost per year 1 @ $75,000 2 @ $75,000 Training $2,000 $7,500 (est.)
Three Year Cost Comparison Category FG3600 3 Yr Cost Est. Point Solution $ Difference % Acquisition $30,000 $183,000 ($153,000) (84%) Services $45,000 $150,000 ($105,000) (70%) Personnel $225,000 $450,000 ($225,000) (50%) Training $6,000 $22,500 ($16,500) (73%) TCO $306,000 $805,500 ($499,500) (62%)
Internet Server Farm Downtown Campus Waishuanghsi Campus TANet Cisco 3550-12G ASCC Cisco 4700 Internet Server Farm TANet II Extreme24e2 Fortigate 3000 Extreme24e2 r2206 Accton Hub mail2 Extreme24e2 Extreme24e2 2208 Cisco 6509 CHT CITY_4_Building_55 C2924-XL (2-Building-2-130) Ascen600 第二大樓 Ascen600 第四大樓 C3548-XL (2-Building-3-4) C3524-XL 第二大樓 2F Novell Cisco3660 C3524-XL (1-Building-1F-3524) Convertor Downtown Campus C2924-XL (2B-2316_1) 法學院 第一大樓 1F C2950G-48-EI 第六大樓 C2924-XL (2B-2316_2) C3524-XL (4-Building-3F-3524) C4908G-L3 第四大樓 3F C2924-XL (2B-2316_3) C3548-XL (2B-r2219-1) FSW4802 第二大樓 2F C2924M-XL 三大樓 3F Extrem48si C2924-XL (2B-2316_4) C3550-24-EMI (2-Building-2-3) C2916M-XL C3524-XL C2924-XL (2B-2315_1) C3524-XL (IT_1_2916) C2916M-XL 五大樓 B1 第二大樓 5F 五大樓 5F C3512-XL C3548-XL (2B-r2219-2) C2950-24 (CC-21.3) Extreme24e2 C2924-XL (2B-2315_2) 第一大樓 1F 崇基樓 181.12 三大樓 3F 三大樓 3F Extreme24e2 三大樓 3F Extreme24e2 Mail SCU01 C2924-XL (MBA_2924_1) 五大樓 2F C3524-XL Hinet Seednet C2916M-XL 181.13 C2924-XL (2B-2315_3) Foundry FSW4802 C2916M-XL CacheFlow 6000 第三大樓 3F Fortigate 1000 Waishuanghsi Campus DNS EDU02 三大樓 3F Extreme24e2 Extreme24e2 三大樓 3F C2924-XL (2B-2315_4) HPOV C2916M-XL C2924-XL (MBA_2924_2) C3524-XL Computer Lab (B509) 第二大樓 6F 五大樓 3F C2950-24 (CC-21.5) Cisco 6509 187.10 C2950G-48 Housenet Computer Lab (B610) Administration & Academic System 187.28 C2924M-XL Netflow Server Computer Lab (B515) C3550-24-EMI Computer lab (B502) C2950G-48 教研大樓 SCU-LIB-5500 Cisco3524 C3524-XL Cisco3548-XL 寵惠堂 C3512-XL 安素堂 文化大樓 Cisco3524-XL C3524-XL C3550-24-EMI C3524-XL C2950-24 電算中心 C2924M-XL C3548-XL C3524-XL(2)+ C2950-24(4) FastEthernet FX or Fiber Giga SX Giga LX C2950-24 圖書館4F C3548-XL C2916M-XL Cisco1912 日研所 Cisco1924 松逸齋 C2916M-XL 電算中心 C2924M-XL 數研所 C3548-XL 音樂館 C3548-XL 圖書館4F C3524-XL C2950G-EI 綜合大樓2F 寵惠堂 C2916M-XL Cisco1912 Cisco1912 C2924M-XL C3548-XL 心理系 光道聽 SCU-SCIENCE-5500 語言中心 C2950G(1)+C3524-XL(1)+C2950-24(6) 超庸館 C3548-XL 163.14.137.3 哲生樓 Vod.scu.edu.tw
Key Security Considerations Malware Hard to control outbreaks Rogue notebooks Unauthorized access Internal / external threats Bandwidth use Need to regulate Wireless Increasingly prevalent
Security Requirements Enhance security Previously lacked formal security policy Want to keep network open Secure perimeter Need to secure from threats outside / threats from within Limit virus threat Secure at core network gateway Secure at sub-net gateways
Previous Security Architecture Layer 3 switch/Router Packet filtering based on access lists No Firewall No IDS Antivirus for mail server Software solution Recommended use of client AV to students & staff
Vendor Selection Criteria Evaluated Hardware Price Performance Manageability Evaluated Fortinet NetScreen SonicWall Nokia (Check Point) Cisco PIX
Virus Log
Attack Log
Chose Fortinet! Broad functionality High-performance Especially for antivirus High-performance Gigabit-level real time protection Technical support from SI and Fortinet Hewitt-Packard Taiwan Business relationship Trust Fortinet and HP teams Long-term relationship with Fortinet AM, Paul Huang
Products Selected FG3000 FG1000 FG60 Perimeter security on core network Firewall, Antivirus, NIDS FG1000 Perimeter security on sub-net to student records FG60 NPAT between FG3000 and server farm Will add NIDS and AV functions
Network Design Intermost Network FG3000 FG1000 TANET II TANET 1000 Mbps Intermost Network Layer 3 switch FG3000 VPN tunnel 1000 Mbps Server Farm 100 Mbps 1000 Mbps Waishuanghsi Campus Cisco 6509 VPN tunnel Public Servers 1000 Mbps Downtown Campus Cisco 6509 Internal User PC Internal User PC Public Servers L2 Switch FG1000 L3 switch Administration & Academic System
Benefits Vastly improved security Ease of management Secure perimeter Alleviated malware threat DoS protection Virus protection Ease of management Automated push updates Improved reporting with eIQ MIS can have more time to manage rest of networking events
Future Plans Considering adding additional units For two campus gigabit gateways For Different schools Looking at FG60 for sub-nets For different departments (LAN) Appears to fulfill requirements Cost-effective
Q& A Thank you