Presentation is loading. Please wait.

Presentation is loading. Please wait.

校園網路資訊安全威脅與應用技術探討 陳家慶 (Jacob Chen) # 11

Similar presentations


Presentation on theme: "校園網路資訊安全威脅與應用技術探討 陳家慶 (Jacob Chen) # 11"— Presentation transcript:

1 校園網路資訊安全威脅與應用技術探討 陳家慶 (Jacob Chen) 886-2-87860968# 11
Enterprises, Small/Medium Sized Businesses (SMBs) and enterprise branch offices need network protection that’s complete, manageable, and affordable. But the marketplace is crowded with undifferentiated “me-too” products based on old technologies and architectures. Fortinet’s FortiGate solutions are a new generation of ASIC-based network protection systems that provide capabilities and price/performance unmatched by any competing systems. They provide Enterprises and SMBs with a full range of application-layer and network-layer security, with real-time performance, in cost-effective platforms that can be installed and managed easily. Qualified distributors and resellers have an outstanding opportunity to open new accounts, increase sales to existing accounts, and raise margins through a partnership with Fortinet. 陳家慶 (Jacob Chen) # 11

2 Agenda 網路安全潛在威脅分析 15min (網路病毒,蠕蟲,攻擊,垃圾郵件,p2p...) 校園網路安全解決方案與管理分析 20min
Case study min Break min 內容安全管理與展示 min Config Practice min

3 資訊網路潛在威脅之探討分析

4 Customer Needs The limitations of conventional systems are not lost on users. In a recent study, nearly all respondents reported that they wanted to see new functions integrated into their firewalls – especially anti-virus, intrusion detection, and content fltering. Firewalls alone are not enough – users want new, integrated capabilities Source: Infonetics Research

5 The Nature of Threats Has Evolved…
Major Pain Points for Organizations of all Types CONTENT-BASED Anti-spam Spam Banned Content Content Filter Worms Anti- virus Trojans SPEED, DAMAGE ($) In the early days of computing, the biggest security concern was that someone was going to physically walk off with a disk pack or set of tapes. As networks became popular, both within and between organizations, it became possible for attackers to enter networks from outside, and to use CONNECTION-BASED attacks to reach and compromise private data and programs. Today, the most damaging and fast-moving threats are CONTENT-BASED. Content-based attacks don’t require sustained connections in order to do damage. Once a virus or worm has been inserted into a computer, it can act on its own and spread without a connection to the attacker. The big challenge with content-based threats is that they are almost always delivered using connections that are inherently trusted – like and Web traffic. In addition, content-based attacks don’t discriminate between different types of companies – they usually are spread automatically without regard for the size of a company or the value of their data. This means that every company is at risk. The same phenomenon is true of other types of content threats including inappropriate Web content or spam. The costs to businesses of these threats is huge – estimated at over $10 billion annually – and growing rapidly. Think of what the last virus attack cost your business! Viruses IDS CONNECTION-BASED VPN Firewall Intrusions Lock & Key PHYSICAL Hardware Theft 1970 1980 1990 2000

6 The “Content Processing Barrier” is the Challenge to Network Protection
Exceeds the capabilities of available network devices Processing Power Required Network-Level Services Application-Level Services Virus/Worm Detection Content Filtering The Content Processing Barrier is the fundamental reason why conventional networking systems can’t handle application-level functions like virus scanning and content filtering at network speeds. Compared with FW, VPN, and even IDS processing, application level processing requires hundreds of times more processing power per packet. That’s the content processing barrier. CONTENT PROCESSING BARRIER IDS Supported by today’s network edge devices VPN Firewall

7 Conventional Solutions Can’t Keep Up with Real-Time Communications
25%+ of virus infections delivered via Web traffic* (vs. ) Software AV scanning is too slow for Web traffic Need for speed keeps increasing: -> Web -> Instant Messaging -> ??? Conventional Firewall and AV Products Are Behind- A New Approach is Needed *Yankee Group

8 Conventional/Single Point Security Solution Do Not Solve these Problems
Hacker Spam If it is sasser,then Viruses, worms Mail Server Intrusions Banned content If you ask 100 people what they use to protect their network, close to 100 will answer “a firewall.” But what do firewalls really protect against. They don’t stop the attacks that do the most damage – malicious s, viruses & worms, intrusions, & banned content pass right through The reason is that firewall technology was designed nearly a decade ago, when networks (and security threats) were much simpler. Firewalls only look at the headers of packets (i.e. the to and from addresses on the envelopes) to decide if a packet is OK. But the damage from today’s threats comes from the contents carried by the packets – and firewalls don’t look inside. Do Not Examine The Content of Data Packets – Threats Pass Through new job.com music.com

9 Many Conventional Products are Needed for a “Complete” Solution
Filtering Software Hacker Malicious Anti-Virus Software Viruses, worms SPAM IDS/IPS Intrusions VPN Banned content As a result of the limitations of conventional firewalls and point security products, those who want complete network protection are forced to buy a lot of expensive equipment, integrate it together, and use a lot of skilled staff t keep it running. The investment required t do this exceeds the budgets of many, many organizations. Some vendors call this approach a “best of breed” solution. Its isn’t clear what’s best about this approach. Web Content Filtering Software new job.com music.com

10 校園網路安全解決方案與管理分析

11 Many Conventional Products are Needed for a “Complete” Solution
Filtering Software Hacker Malicious Anti-Virus Software Viruses, worms SPAM IDS/IPS Intrusions VPN Banned content As a result of the limitations of conventional firewalls and point security products, those who want complete network protection are forced to buy a lot of expensive equipment, integrate it together, and use a lot of skilled staff t keep it running. The investment required t do this exceeds the budgets of many, many organizations. Some vendors call this approach a “best of breed” solution. Its isn’t clear what’s best about this approach. Web Content Filtering Software new job.com music.com

12 防火牆 Apply firewall policies to VPN tunnels
防火牆(Firewall),架構在網路層(Network Layer)與傳輸層(Transfer layer),並可依據管理層面來看待封包,也就是傳送的方向。透過Firewall管理,並將網路位置(IP Address)、網路服務(TCP/UDP Port Number)、方向(Direction),三者排列組合成綿密的安全網。 高效能 擁有ICSA認證 提供NAT, Route和 Transparent模式 提供H.323 NAT功能 Policy-based 提供群組LDAP和Radius認證機制 提供WAN failover機制 提供超過 40種的標準協定或用戶自行定義的服務管控 e.g. Telnet, realaudio, FTP, GRE, Oracle*8 etc. 管理與控制 DHCP Relay與WINS 可統一管理防毒防火牆與VPN Apply firewall policies to VPN tunnels Apply AV and content filtering as part of firewall policies

13 Firewalls Don’t Analyze Contents so they Miss Content Attacks
DATA PACKETS STATEFUL INSPECTION FIREWALL Inspects packet headers only – i.e. looks at the envelope, but not at what’s contained inside OK Four score and BAD CONTENT our forefathers brou OK OK ght forth upon this continent a new nation, OK n liberty, and dedicated to the proposition that all Header Mac Address Source IP Destination IP Protocol Port PAYLOAD Packet “headers” (TO, FROM, TYPE OF DATA, etc.) Packet “payload” (data) Not Scanned CONFIDENTIAL

14 Firewall Policy for VLAN, Zone and Interfaces/Ports
Zone must contain VLAN and/or Interfaces/Ports before to be used in policy Must have “Address” assigned to the VLAN, Zone, or Interfaces/Ports before creating policy Use Content Profiles to provide different restriction to various group of IP Addresses. Creating Content Profile first before creating policy Services/ports for VPN Traffic Shaping – token bucket

15 Firewall - VLAN Firewall policy can be applied for Interface, Zone, VLAN, and 2nd IP of the Interface Must have “address” defined first within the Firewall Section

16 Firewall – 2nd IP LAN Address

17 Firewall – VLAN Address

18 Content Profiles First enable each profile AV scanning/blocking, quarantining, and Web/ filtering ..etc. Then each profile can be assigned with per Firewall Policy basis Provides flexibility of different requirement and access restriction for various groups. Can be applied to all supported protocols (HTTP, FTP, SMTP, POP3, IMAP)

19 統合政策管理 可針對不同User需求機動調整內容作為網路規範

20 Policy Base Protection Profile
可針對單一政策制定網路使用規範

21 Antivirus 感染管道 效能需求 Policy-based 快速的威脅反制 Local Lan (網路芳鄰, 作業系統本身漏洞)
Http, FTP, Imap, Pop3, Smtp 免費軟體, 檔案分享, 免費註冊碼 效能需求 ASIC-based的防毒解決方案 ICSA認證通過的硬體式防毒閘道器 Policy-based 病毒掃描 完整包含世界上的病毒碼資料庫 可隔離中毒或已感染的檔案並可針對過大的檔案進行阻擋 快速的威脅反制 由Threat Response Team 和 FortiResponse提供威脅反制 可自動更新病毒碼與入侵偵測的特徵 The world’s only ASIC-based antivirus solution Automatic push updates for AV and NIDS definition databases First and only ICSA-certified, hardware-based AV gateway Policy-based virus scanning Scans all traffic (SMTP, POP3, IMAP) Scans all Web (HTTP) content, downloads, and web mail; support for non-standard port HTTP traffic scanning (2.5) Scans all FTP traffic (new in 2.5 – does not require H/W upgrade) Decrypts & scans encrypted VPN tunnels for viruses and worms Scans encrypted Microsoft Macro files Able to scan through 12 levels of compression; LZH compression added in 2.5 Full coverage of the industry standard WildList viruses Including polymorphic viruses Quarantine of infected and suspicious files & blocking of oversized (user definable) files (added in 2.5) Updated by Threat Response Team & FortiResponse™Distribution Network Joe Wells, leading AV guru, Chief Antivirus Architect

22 Msblast 以疾風病毒(Msblast)的感染為例,Mablast會常駐於受感染的機器的記憶體內,同時病毒會以大約每秒20個IP位址的速度,來隨機找到下一個可能的受害機器,一但受到感染Msblast會打開系統的port 4444和port 69並企圖連接其他機器的TCP port 135一但成功找到目標進入系統之內,他會利用微軟已知在DCOM(Distributed Component Object Model) RPC(Remote Procedure Call)的漏洞,讓駭客得以使用TFTP(trivial ftp)工具下載自己本身到受害的機器上,複製在windows\system32的檔案下面,而受害機器可能會出現RPC服務意外終止的倒數60秒重新啟動的訊息,造成系統不斷的重新開機,而且在16日病毒會發作讓所有受感染的機器在同一天發動DOS(Denial of Service)攻擊微軟的更新網站(windowsupdate.com)企圖癱瘓該網站的運作。 當時全球估計有上百萬台機器受到感染,讓許多資訊人員忙著更新每一台微軟作業系統的修正程式,忙著接聽受害電腦使用者的電話

23 Some Firewalls Claim to do “Deep Packet Inspection” – But They Still Miss a Lot
Performs a packet-by-packet inspection of contents – but can easily miss complex attacks that span multiple packets Undetected OK Four score and BAD CONTENT our forefathers brou ! Basic packet processing, which is what firewalls do, won’t detect the key threats. Some vendors talk about doing “packet-level” scanning for viruses and worms, but that makes no sense! There’s no reason to believe that a virus will be contained completely within one packet – it will probably be chopped up and spread across multiple packets. Simply looking at the network-level contents of a single packet won’t catch most threats. The only way to effectively do network-based scanning for viruses and banned content is to first re-assemble the packets back into the original APPLICATION-level objects from which they were derived – i.e. the files, programs, etc. THEN, once the original content has been re-created, you can scan it for viruses, worms, bad URLs, bad words, etc. But conventional network devices can’t do this. OK ght forth upon this continent a new nation, OK n liberty, and dedicated to the proposition that all CONFIDENTIAL

24 Network-Level Processing is Not Enough
FIREWALL Inspects packet headers only – passes “valid” packets with banned content and attacks URL FILTER Stops blacklisted URLS, but may miss BANNED WORDS embedded in content NETWORK-LEVEL CONTENT (PACKETS) Four score and seven years ago our forefathers brou PACKET-BASED VIRUS SCAN May miss attacks that spam multiple packets ght forth upon this BANNED WORDS a new nation, n liberty, and dedicated to the proposition that all APPLICATION-LEVEL CONTENT PROCESSING Basic packet processing, which is what firewalls do, won’t detect the key threats. Some vendors talk about doing “packet-level” scanning for viruses and worms, but that makes no sense! There’s no reason to believe that a virus will be contained completely within one packet – it will probably be chopped up and spread across multiple packets. Simply looking at the network-level contents of a single packet won’t catch most threats. The only way to effectively do network-based scanning for viruses and banned content is to first re-assemble the packets back into the original APPLICATION-level objects from which they were derived – i.e. the files, programs, etc. THEN, once the original content has been re-created, you can scan it for viruses, worms, bad URLs, bad words, etc. But conventional network devices can’t do this. 1. Reassemble packets into content 2. Compare against disallowed content and attack lists BAD CONTENT BANNED WORDS NASTY THINGS NASTIER THINGS DISALLOWED CONTENT Four score and seven years ago our forefathers brought forth upon this BANNED WORDS a new liberty, and dedicated to the proposition that all… ATTACK SIGNATURES

25 Virus Everywhere

26 WildList Wild viruses 被定義為在最近與過去幾年內曾經感染散佈電腦病毒,. 當如此的病毒被發現它們都會正式被揭露在”the WildList Organization International” ,同時每個月會發表一份WildList 的報告,揭露自1993年以來曾經感染散佈的電腦病毒 而這些病毒才是真正需要被視為威脅需要被隔離的病毒。 為了能夠全面防毒 ,全球有超過55家具有資格的防毒公司,都是該組織的成員具有通報以及提供病毒樣本的義務,用全球的力量來阻擋病毒的散佈。

27 Network Anti-Virus NAV系統應該具有封閉性。安全而不能被病毒或駭客攻擊系統本身。
NAV必須要能在硬體ASIC上來解決此一問題。 封包處理的引擎: 能夠處理封包的表頭,同時加速辨證應用層的資料流為哪一個封包? Signature掃描引擎:重組封包的payloads內容流(content streams) 在系統記憶體上, 同時載入適當的病毒碼直接比對。

28 FortiProtection Center Web Portal & email Bulletins
World-Wide based Real time Update Center Ensure Rapid Response to New Threats Fortinet Threat Response Team and Update Distribution Servers FortiProtection Center Web Portal & Bulletins Automatic Updates Can Reach All FortiGate Units Worldwide in Under 5 Minutes

29 Virus List

30 Virus Detection Protocols are handled differently when a virus is detected. IMAP and POP3 Attachment removal with customizable message HTTP Page replaced with a custom page FTP and SMTP In-session error

31 Command Triggers Within each protocol, specific commands trigger antivirus inspection IMAP FETCH HTTP GET POST FTP RETR PUT SMTP BDAT (but not with multiple chunks) DATA POP3

32 Splicing Session splicing is used when traffic is being scanned for viruses Virus Detected Splicing Enabled Splicing Disabled SMTP Stops SMTP transfer Error message to sender Attachment removed Message to recipient FTP Upload Buffers file for scanning and uploads to FTP server Stops FTP transfer Attempts to delete partially uploaded file Buffers file for scanning before upload If “clean,” uploads to server

33 Quarantining Files FortiGate units with hard disks can be configured to quarantine blocked or infected files The quarantined files are removed from the content stream and stored on the FortiGate hard disk Users receive a message informing them that the removed files have been quarantined

34 Quarantine List The quarantine list can be sorted and filtered for ease of use Suspicious files can be uploaded to Fortinet for analysis

35 AutoUpload Suspicious files can be sent to Fortinet automatically for analysis New files and patterns can be added to the list

36 Quarantine Options Configure the FortiGate unit to handle quarantined files

37 Non-standard Ports Antivirus scanning can be configured to recognize application traffic on non-standard service ports This can be used for customized services and is useful with HTTP proxies and caching config antivirus service smtp set port <port_integer> end

38 File Blocking By default, when file blocking is enabled, the Fortigate unit blocks the following file types: executables (.bat, .com, .exe) compressed/archive (.gz, .rar, .tar, .tgz, .zip) dlls HTML applications (.hta) Microsoft Office (.doc) Microsoft Works (.wps) Visual basic (.vb?) screen savers (.scr) Windows information (.pif) File blocking is performed before antivirus scanning and is not application-aware

39 File Block

40 Oversized File Blocking
The FortiGate unit to buffer 1 to 15 percent of available memory to store oversized files and Files and that exceed this limit are blocked by the Fortigate unit rather than bypassing antivirus scanning A replacement message is sent to the HTTP or proxy client.

41 Fragmented FortiGate units cannot scan fragmented for viruses or use pattern blocking to remove restricted files For security, do not enable Pass Fragmented s in protection profiles For added security, disable the fragmenting of messages in the client software

42 入侵偵測/預防 高效能 提供較完整的攻擊特徵 異常流量與協定的預防與主動式阻絕 客制化 不影響效能的網路監控
NIDS 可同時支援多個網段流量 提供較完整的攻擊特徵 包含 1,400個已知型攻擊特徵 支援用戶自行定義的攻擊特徵 Signature-based attack recognition 異常流量與協定的預防與主動式阻絕 提供34種的攻擊特徵 客制化 用戶自行定義攻擊名單 郵件警示通知

43 IDS & IPS 入侵偵防系統具備兩項功能,一是入侵偵測(IDS), 另一是入侵防禦(IPS)。 IPS提供下列功能:
監視與分析使用者及系統行為 審視網路系統設定和網路弱點 針對重要的系統或是資料進行評估保護 統計分析不正常的行為內容 對於異常行為者予以追蹤記錄 辨識正常行為並拒絕已知攻擊 防禦機制: Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Pass Session, Clear Session

44 Internet Message and P2P

45 容易設定的IDS 提供用戶自行定義的攻擊特徵 近 1,400種的攻擊特徵 可依不同攻擊屬性將特徵分類與易於管理 超過34種的攻擊模式 客制化
紀錄檔與警示

46 NIPS Signatures

47 Intrusion Detection - Signature List Group

48 Intrusion Prevention – Default Setting
Default is disabling “Source Session”, “UDP Source Session”, “ICMP Source Session”, “ICMP Fragment”, “IP record routing”, “IP strict/loose source record routing”, “IP stream/security/timestamp option”, “IP fragment”, “IP Land attack”

49 Intrusion Prevention – Synflood Setting
Synflood attack, if received SYN request > 200/sec Send to proxy, if proxy connection > 1024 Discard SYN request Each Proxy would only stay in the table for 15 sec.

50 IPS Signatures

51 內容過濾產品大致可區分成網頁過濾、電子郵件過濾及即時傳訊等3大塊。 提供自然語言過濾機制
URL Blocking, 關鍵字與句子過濾 阻絕惡意ActiveX, Java applets, cookies 郵件過濾 可支援其他廠牌的黑名單 Native content filtering (uses “free” blacklists) URL Blocking, Keyword or phrase blocking Policy and content profile-based filtering Profiles consolidate filtering policies for AV, Web, etc (new in 2.5) Selectively scan, block or allow different content types for different users & groups Blocks ActiveX, Java applets, and cookies Enables CIPA compliance for US primary/secondary schools filtering: Subject lines of incoming messages can be tagged based on matching user-defined sender blacklist or keyword/phrase list Enables easy sorting by any client

52 Web Content Filter URL Blocking, 關鍵字與句子過濾
阻絕惡意ActiveX, Java applets, cookies

53 垃圾郵件 垃圾郵件的防範和管理,已然成為網路資訊安全的一個新興且重要的課題。根據Ferris Research.的市場研究調查指出:垃圾郵件不僅僅造成每年歐、美企業分別造成89億及25億美元的損失,同時也讓電信服務供應商耗損5億美元的資源。結果超過74%的受訪者認為”處理垃圾郵件很浪費時間”,另外受訪者之中也有高達66.6%深怕經由垃圾郵件的傳遞導致電腦中毒,經由這些數據顯示垃圾郵件已成為企業、員工以及MIS人員的夢魘。

54 郵件表頭分析檢查-- 越來越多的電子郵件是以HTML的形式呈現
二,他會直接寄出設有陷阱的 HTML Explorer和IIS系統的漏洞來進行傳播的Internet 蠕蟲。它也像檔案型病毒那樣可以感染Win32可執行檔和以html, htm, asp 為副檔名的文件。

55 人工智慧型 與 圖形識別技術 人工智慧型比對及分類,目前市面上的專業級的產品,也相繼的利用近年來相當熱門的資料採礦 (Data Mining)技術,運用多樣化機率統計的智慧分類模型,例如:貝氏機率(Bayesian)、模糊邏輯(Fuzzy Logic)、類神經網路 (Neuro Network)等等技術 圖形識別技術,既然已談到人工智慧的方法,我們再提另外一個。由於以上的方法均僅止於文字模式的辨識 或分類,但近來垃圾郵件為了因應以上幾種常用的防堵方式,並且可輕易的逃過傳統的過濾條件。越來越多的垃圾郵件將文字以圖檔的方式呈現,因此坊間一些產品便標榜可透過OCR方式找出文字經由特徴值比對,垃圾郵件一樣無所遁形。更有的甚至強調利用人工智慧的圖形識別理論可利用色澤追踪,發現色情圖片的夾檔。

56 Once identified, the mail can then be:
垃圾郵件 Uses a wide variety of local and network tests to identify spam signatures IP address RBL & ORDBL address MIME headers Banned word Once identified, the mail can then be: Tagged as spam for later filtering using the user's own mail user-agent application Enables easy sorting by any client Or rejected (SMTP) Apply firewall policies to VPN tunnels Apply AV and content filtering as part of firewall policies

57 Spam Filter

58 Filter

59 頻寬管理 QoS 有效利用與分配網路頻寬 Policy-based頻寬管理 保障頻寬(Kbyte/每秒)
Apply firewall policies to VPN tunnels Apply AV and content filtering as part of firewall policies

60 Traffic Shaping Guaranteed Bandwidth Maximum Bandwidth
You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service. Maximum Bandwidth You can also use traffic shaping to limit the amount of bandwidth available through the firewall for a policy. Limit bandwidth to keep less important services from using bandwidth needed for more important services. Traffic Priority Select High, Medium, or Low. Select Traffic Priority so that the FortiWiFi unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections.

61 VPN VPN支援 支援加密方式DES,3DES,AES 通道PPTP、L2TP、IPSec
IKE Certificate Authentication(X.509) IPSec NAT Traversal Dynamic DNS host names for VPN tunnels IPSec in Transparent mode DHCP over IPSec AntiVirus for VPN tunnel Apply firewall policies to VPN tunnels Apply AV and content filtering as part of firewall policies

62 VPN Can now select individual service/port via “Encrypt” within Firewall Policy IPSec now supports AES encryption with 128, 196, or 256 bit strength Provide certificate support for all IPSec, PPTP, & L2TP tunnels Can import certificates from a CA or can generate internally New advanced features in IPSec with Xauth, Dead Peer Detection, and Peer ID options HA support for VPN fail-over

63 IPSec VPN Services

64 IPSec VPN Advanced Options

65 VPN Services selection

66 網路安全應用趨勢與技術探討 Confidential

67 Best of Breed Gateway Antivirus, And a Compelling All-In-One Solution
Mobile Worker Enterprise HQ/Data Center IDS VPN Remote VPN Client Or Wireless Users Small Office/ Telecommuter MSSP Antivirus* *”Transparent Mode” Best of Breed Content Security Gateway Antivirus Content Filtering All-in-One Solution Antivirus Content Filtering Firewall VPN NIDS/IDP Branch Office

68 Administrative System Networked PC w/ IP Phone
網路安全架構圖 Server Farm Internet Internet Routers 45 Mb 10 Mb Core Network ISDN Videoconferencing Administrative System Second Computer Room DMZ Campus Servers FTP Servers DNS Servers IP Phone System PSTN Dormitory Networked PC DHCP Client Networked PC w/ IP Phone Departmental VLAN Modem Pool Server Farm 網安閘道-HA 骨幹高速網安閘道器- HA 部門網安閘道器

69 High-Availability Solution For Mission Critical Applications
Router Switch Firewall Switch Internet/ Intranet Users Connect one (or more) of the real servers to one switch and some to the other switch. This way if one of the switches dies you will still have access to one or more of the real servers. Run HSRP on the Routers connected to the internet. The LocalDirectors do not load balance between themselves. Only one LocalDirector is active at any one time. During LD failover you will loose the current connections. Currently LD does not support statefull failover. Router A e0: , e1: Router B e0: , e1: No single point of failure Ideal for mission-critical application Identifies failed servers and applications and redirects around them

70 FORTINET–高可靠網路安全建議架構圖 High Availability Network Archietecture
Router 1 Router 2 GE Trunk DMZ (server farm) Switch A1 Switch A2 H.A. FGT 3000 FGT 3000 GE Trunk Switch B2 Switch B1 V1~V10 V1~V10 v1 v10 v10 v1 Group1 ………………….. Group10

71 A Complete Solution for the Educational Network
Internet Intranet / Extranet 2 FG3600, provides Antivirus, IDS/IDP and Firewall protection, and traffic shaping functionality for dorms Backbone 1 FG5020X2, HA adds Antivirus & IDS/IDP protection at Internet as transparent mode behind existing firewall 2 分校 DMZ 3 TS 1 系所 3 FG3600X2, HA adds Antivirus, IDS/IDP protection to exisiting firewall for OA services Labs 5 宿網 5 Core Network Data Center 4 FG5020X2 HA add Antivirus, IDS/IDP as transparent mode behind existing Firewall 4 FG3000X2, HA provides in-line firewall, Antivirus, IDS/IDP , Firewall functionality to data center 6 FortiClient Protect User PC and workstation

72 Differentiated Technology Solution
Fortinet provides the only complete solution to effectively address the new enterprise security threats

73 Centralized Management

74 Centralized Management
Security Service Management - Central Management Complete turnkey management solution Policy Manager Create Policies for multiple devices and groups Create Content Profiles for multiple devices Realtime Monitor System Health, Device Status, Session Monitor, Traffic Flow, Anti-Virus, Attack, Alert Notification Device Manager Model – create offline devices and configs, check differences Log Viewer Object Manager Admin Manager - Role Based Administration Server Manager

75 FortiManager System Supports Large Deployments
FortiManager Admin Consoles Java based admin console(s) Powerful, easy to use Multiple administrators with role-based privileges Security hardened, plug & play appliance Scale to thousands of FortiGate units Centralized configuration, logging, monitoring Corba interface for OSS/BSS integration FortiManager Server (Appliance) FortiGate AV Firewalls under Mgmt. Independent management domains Supports departmental and/or regional management

76 FortiManager 2.80 Components
SMS Security Management System NMS Network Management System EMS Element Management System Log Monitor Real time Log Historical Log Schedule Log back up Real time System AV + NID Monitor Policy Manager Device Configuration Access Rule System config NIDS

77 Device Manager

78 Policy Manager

79 FortiManager 2.8 Architecture
Relational DB Central Management Platform Rack Mountable Easy deployment Management Console Java app Multiple Administers Database Hooks Historical storage FortiGate Antivirus Firewalls Multiple platforms Multiple functionalities

80 Reporter

81 Without FirewallAnalyzer
Good news is that Firewalls stream all activity in Syslog Messages. Syslog Servers capture this info into log files. But finding valuable information in Firewall log files which contain huge amounts of cryptic information is not easy.

82 FortirReporter FortiReporter Apply firewall policies to VPN tunnels
圖表化報表介面 專業Fortinet全系列Firewall Log解析 簡易圖形化Web遠端管理介面 多樣化網路流量報表 入侵偵測分析報表 防毒報表 網站過濾報表 郵件過濾報表 報表配送 多台Fortinet Firewall Log支援 可轉存Raw Log 自由報表查詢區間模式 Apply firewall policies to VPN tunnels Apply AV and content filtering as part of firewall policies

83 FirewallAnalyzer – Instant Reporting

84 FirewallAnalyzer – Drill Down

85 FirewallAnalyzer – Top Viruses Blocked by Day

86 FirewallAnalyzer - Features
Auto-discovery of Firewalls – FirewallAnalyzer automatically recognizes all configured firewalls. Advanced Log Data Collection, Data Update and Management – Automatically recognizes & Collects log data; Saves significant disk space and network bandwidth. Policy-Based Data Update – Allows for automatic transfer of delta log files and updates the data into a central repository. Scalable and Comprehensive Data Management - Patent pending FScale™ data management allows efficient processing, management and optimal storing of large amounts of current and historical log data from 100s of firewalls. Intelligent Data Correlation – Combines and Correlates variety of data from all firewalls. Rules-Based Alerts – Automatically sends alerts based on user defined thresholds. Executive Dash Board – Provides summary of activity across firewalls, while giving the drill down option. Role Based Access – Limits what each user can view based on their role and firewalls. Managed Security Service Providers (MSSP) Support – offer value-added reporting service to using Reporting Portal, and allows each customer to view only their firewall data.

87 FirewallAnalyzer - Features
Easy to Understand Reports – generates easy to understand and interpret graphical, tabular reports. Automated Report Generation & Distribution –generates over 300 reports with an easy mechanism to reports automatically to multiple recipient. Multiple Report Formats – reports in Instant Reports, HTML, MS Word, MS Excel, Text and PDF Automated Syslog Collection – from Firewall and VPN appliances. Multiple Firewall Vendor Support – supports all leading firewalls appliances and servers Instant Reports with Powerful Drill Down – generates reports in real time without having to wait for the processing of log files. Powerful drill down feature displays 2nd and 3rd level details with a single click. Reduced Network Traffic – reduces network traffic between syslog server and FirewallAnalyzer by using delta log files in compressed format. Archiving – save disk space by archiving processed log files.

88 High-Availability

89 高可用性High Availability
Active-Active Active Passive 透通(transparent mode)模式下提供HA機制 封包導送方式: None, Hub, Least-Connection, Round-Robin, Weighted-RoundRobin, Random, IP, IP Port FW與VPN可於3秒內提供轉換 HA 警示 Failover啟動後將會主動透過SNMP機制發訊息給MIS並會進行紀錄 FGCP (FortiGate Clustering Protocol) supports both Active-Passive and Active-Active configurations through layer 2 switch Active-Active clustering of up to 8 FG units provides both stateful failover and effective load balancing to enhance system performance (2.5) 6 load balancing algorithms supported Round robin, least connections, etc.

90 Firewall Management

91 內建的管理功能 SNMP – Simple Network Management Protocol SSH – Secure Shell
CLI – Command-line Interface Web GUI – Web Graphical User Interface A “killer app”! Security through SSL

92 即時監控畫面

93 個人使用者如何防範網路威脅 Confidential

94 個人電腦防護需求 AV protection Personal Firewall Host IDS
Anti-virus/Anti-spam Anti-spyware/Anti-Trojan Personal Firewall Host IDS Windows Registry alerts Large scale policy management Centralized policy management VPN IPSec client for secure connectivity

95 Active Port

96 Case Study Confidential

97 Data Center Security Option 1: Conventional Point Solutions
Check Point Firewall-1 on Nokia IP 740 Firewall Intrusion Detection Tipping Point UnityOne-400 Server Server Trend Micro antivirus software (10,000 user license) on 4 Dell servers Server Server Data Center

98 Data Center Security Option 2: FortiGate 3600 System
FortiGate 3600 extends existing perimeter security architecture for one or more of the following functions Firewall Gateway Antivirus Transparent-mode Firewall Intrusion Detection and Prevention VPN connectivity Content Filtering Traffic Shaping Data Center

99 Acquisition / First Year Costs
Technology FortiGate 3600 Point Solutions Firewall $30,000 $70,000 Antivirus Included NIDS/IDP $43,000 Acquisition Cost $183,000 Services (Maintenance, Subscriptions, Support) $15,000 (est.) $50,000 (est.) Personnel cost per year $75,000 $75,000 Training $2,000 $7,500 (est.)

100 Three Year Cost Comparison
Category FG3600 3 Yr Cost Est. Point Solution $ Difference % Acquisition $30,000 $183,000 ($153,000) (84%) Services $45,000 $150,000 ($105,000) (70%) Personnel $225,000 $450,000 ($225,000) (50%) Training $6,000 $22,500 ($16,500) (73%) TCO $306,000 $805,500 ($499,500) (62%)

101 Internet Server Farm Downtown Campus Waishuanghsi Campus
TANet Cisco G ASCC Cisco 4700 Internet Server Farm TANet II Extreme24e2 Fortigate 3000 Extreme24e2 r2206 Accton Hub mail2 Extreme24e2 Extreme24e2 2208 Cisco 6509 CHT CITY_4_Building_55 C2924-XL (2-Building-2-130) Ascen600 第二大樓 Ascen600 第四大樓 C3548-XL (2-Building-3-4) C3524-XL 第二大樓 2F Novell Cisco3660 C3524-XL (1-Building-1F-3524) Convertor Downtown Campus C2924-XL (2B-2316_1) 法學院 第一大樓 1F C2950G-48-EI 第六大樓 C2924-XL (2B-2316_2) C3524-XL (4-Building-3F-3524) C4908G-L3 第四大樓 3F C2924-XL (2B-2316_3) C3548-XL (2B-r2219-1) FSW4802 第二大樓 2F C2924M-XL 三大樓 3F Extrem48si C2924-XL (2B-2316_4) C EMI (2-Building-2-3) C2916M-XL C3524-XL C2924-XL (2B-2315_1) C3524-XL (IT_1_2916) C2916M-XL 五大樓 B1 第二大樓 5F 五大樓 5F C3512-XL C3548-XL (2B-r2219-2) C (CC-21.3) Extreme24e2 C2924-XL (2B-2315_2) 第一大樓 1F 崇基樓 181.12 三大樓 3F 三大樓 3F Extreme24e2 三大樓 3F Extreme24e2 Mail SCU01 C2924-XL (MBA_2924_1) 五大樓 2F C3524-XL Hinet Seednet C2916M-XL 181.13 C2924-XL (2B-2315_3) Foundry FSW4802 C2916M-XL CacheFlow 6000 第三大樓 3F Fortigate 1000 Waishuanghsi Campus DNS EDU02 三大樓 3F Extreme24e2 Extreme24e2 三大樓 3F C2924-XL (2B-2315_4) HPOV C2916M-XL C2924-XL (MBA_2924_2) C3524-XL Computer Lab (B509) 第二大樓 6F 五大樓 3F C (CC-21.5) Cisco 6509 187.10 C2950G-48 Housenet Computer Lab (B610) Administration & Academic System 187.28 C2924M-XL Netflow Server Computer Lab (B515) C EMI Computer lab (B502) C2950G-48 教研大樓 SCU-LIB-5500 Cisco3524 C3524-XL Cisco3548-XL 寵惠堂 C3512-XL 安素堂 文化大樓 Cisco3524-XL C3524-XL C EMI C3524-XL C 電算中心 C2924M-XL C3548-XL C3524-XL(2)+ C (4) FastEthernet FX or Fiber Giga SX Giga LX C 圖書館4F C3548-XL C2916M-XL Cisco1912 日研所 Cisco1924 松逸齋 C2916M-XL 電算中心 C2924M-XL 數研所 C3548-XL 音樂館 C3548-XL 圖書館4F C3524-XL C2950G-EI 綜合大樓2F 寵惠堂 C2916M-XL Cisco1912 Cisco1912 C2924M-XL C3548-XL 心理系 光道聽 SCU-SCIENCE-5500 語言中心 C2950G(1)+C3524-XL(1)+C (6) 超庸館 C3548-XL 哲生樓 Vod.scu.edu.tw

102 Key Security Considerations
Malware Hard to control outbreaks Rogue notebooks Unauthorized access Internal / external threats Bandwidth use Need to regulate Wireless Increasingly prevalent

103 Security Requirements
Enhance security Previously lacked formal security policy Want to keep network open Secure perimeter Need to secure from threats outside / threats from within Limit virus threat Secure at core network gateway Secure at sub-net gateways

104 Previous Security Architecture
Layer 3 switch/Router Packet filtering based on access lists No Firewall No IDS Antivirus for mail server Software solution Recommended use of client AV to students & staff

105 Vendor Selection Criteria Evaluated Hardware Price Performance
Manageability Evaluated Fortinet NetScreen SonicWall Nokia (Check Point) Cisco PIX

106 Virus Log

107 Attack Log

108 Chose Fortinet! Broad functionality High-performance
Especially for antivirus High-performance Gigabit-level real time protection Technical support from SI and Fortinet Hewitt-Packard Taiwan Business relationship Trust Fortinet and HP teams Long-term relationship with Fortinet AM, Paul Huang

109 Products Selected FG3000 FG1000 FG60
Perimeter security on core network Firewall, Antivirus, NIDS FG1000 Perimeter security on sub-net to student records FG60 NPAT between FG3000 and server farm Will add NIDS and AV functions

110 Network Design Intermost Network FG3000 FG1000 TANET II TANET
1000 Mbps Intermost Network Layer 3 switch FG3000 VPN tunnel 1000 Mbps Server Farm 100 Mbps 1000 Mbps Waishuanghsi Campus Cisco 6509 VPN tunnel Public Servers 1000 Mbps Downtown Campus Cisco 6509 Internal User PC Internal User PC Public Servers L2 Switch FG1000 L3 switch Administration & Academic System

111 Benefits Vastly improved security Ease of management Secure perimeter
Alleviated malware threat DoS protection Virus protection Ease of management Automated push updates Improved reporting with eIQ MIS can have more time to manage rest of networking events

112 Future Plans Considering adding additional units
For two campus gigabit gateways For Different schools Looking at FG60 for sub-nets For different departments (LAN) Appears to fulfill requirements Cost-effective

113 Q& A Thank you


Download ppt "校園網路資訊安全威脅與應用技術探討 陳家慶 (Jacob Chen) # 11"

Similar presentations


Ads by Google