SlideShare a Scribd company logo

UTM Unified Threat Management

Download as PPT, PDF
Lokesh Sharma
Lokesh Sharma

The document discusses a study and implementation of unified threat management (UTM) and web application firewall (WAF) at the Defence Research and Development Organisation (DRDO) in India. It describes common internal and external threats organizations face, how UTM provides centralized security functions through a single management console, and how WAF protects against attacks like SQL injection, cross-site scripting, denial of service attacks, and session hijacking that target web applications. The advantages of UTM include reduced complexity, ease of deployment, and integration capabilities, while disadvantages include lower performance and potential vendor lock-in for large organizations.

Related slideshows

Network Security ppt
Network Security pptNetwork Security ppt
Network Security ppt
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security Definition
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
1 of 22
STUDY AND IMPLEMENTATION OF UNIFIED THREAT MANAGEMENT AND WEB APPLICATION FIREWALL UNDERTAKEN AT Defence Research and Development Organisation (DRDO) By: Lokesh Sharma ECE (1222531042) 1
Internal threats  Identity theft  Data loss  Data deletion  Data modification External threats  Worms  Malicious code  Virus  Malware Social Engineering threats  Spam  Phishing  Pharming  Data theft  DoS attacks  Hacking USER Attack on Organization User – The Weakest Security Link 2
Why is this an issue?  Traditional firewalls cannot detect these new applications they rely on port numbers or protocol identifiers to recognize and categorize network traffic and to enforce policies related to such traffic  Apps that use specific port numbers or protocols make it easy for network administrators to block unwanted traffic, but browser-based applications often use only two port numbers, each associated with a protocol vital to user productivity and responsible for the bulk of Internet traffic today  This means that all traffic from browser-based apps looks exactly the same to traditional firewalls; they can’t differentiate between applications, so there is no easy way to block bad, unwanted, or inappropriate programs whilst permitting desirable or necessary apps to proceed unhindered 3
Unified Threat Management (UTM)  Unified threat management (UTM) is an approach to security management that allows an administrator to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console. • UTM delivers a flexible, future-ready solution to meet the challenges of today’s networking environments. • UTMs represent all-in-one security appliances that carry a variety of security capabilities including firewall, VPN, gateway anti-virus, gateway anti-spam, intrusion prevention, content filtering, bandwidth management, application control and centralized reporting as basic features. • The UTM has a customized OS holding all the security features at one place. 4
UTM The best UTM solutions include the following core security functions: Network firewalls perform stateful packet inspection IPS detects and blocks intrusions and certain attacks Application control provides visibility and control of application behaviour and content VPN enables secure remote access to networks Web filtering halts access to malicious, inappropriate, or questionable websites and online content IPv6 support in all network security functions protects networks as they migrate from IPv4 to IPv6 Support for virtualized environments, both virtual domains and virtual appliances 5
Servers Firewalls IPS (Intrusion Protection System) Switches Routers Modem Applications Desktop systems Logs & Events Identity Logging Reporting Compliance Management Forensic Analysis Data Protection Security Management 6
UTM vs. NGFW  The difference between UTMs and NGFWs is actually minimal. The only tangible difference that may be found involves their respective throughput ratings; devices marketed as UTMs typically have a lower throughput rating and are marketed to small and medium-sized businesses, while devices that maintain a higher throughput rating are typically marketed as NGFWs. In terms of functionality, the two devices are almost carbon copies.  NGFW NGFWs were designed to perform intrusion prevention and deep packet inspection while many of the other features mentioned above were offloaded to other devices to conserve network throughput and thereby better serve an enterprise network. More recently, NGFWs added application firewall features, a dynamic new capability that in many cases has allowed enterprises to consolidate and use a single device to protect their applications and core networks. At present, however, multi-Gigabit LAN speeds are commonplace, and the need for a device that only performs certain NGFW functions has become obsolete. 7
Key Features & Capabilities of UTM  The standard and Next-Generation Network Firewall (NGFS) functions include: • The ability to track and maintain state information for communications to determine the source and purpose of network communications. • The ability to allow or block traffic based on configured policy (which can be integrated with the state information). • The ability to perform Network Address Translation (NAT) and Port Address Translation(PAT). • The ability to perform application aware network traffic scanning, tracking and control. • The ability to optimize a network connection (i.e. using TCP optimization). 8
Advantages of Using a Unified Threat Management • Less Complexity- The all-in-one approach simplifies several things, such as product integration, product selection and ongoing support. • Ease of Deployment- As lesser human intervention is required, it is easy to install and maintain. One can get the product installed by finding a reputed vendor online. • The Black Box Approach- Users have a habit of playing with things. Here, the black box approach puts a restriction on the damage that users can cause. This diminishes trouble and enhances network security. • Integration Capabilities- The appliances can be distributed easily at remote sites. In such a scenario, a plug and play device can be set up and handled remotely. This type of management is interactive with firewalls that are software- based. 9
Disadvantages of Unified Threat Management  Lower performance  Single point of failure.  Vendor lock-in.  Difficult to scale in large environments.  Limited feature set compared to point product alternatives. 10
11
WEB APPLICATION FIREWALL  A web application firewall (WAF) is an appliance, server plug-in, or filter that applies a set of rules to an HTTP conversation. The effort to perform this customization can be significant and needs to be maintained as the application is modified.  Web application firewall is a computer networking firewall operating at the application layer of a protocol stack and is also known as a proxy-based or reverse-proxy firewall.  WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code. 12
13 Problem WAF Countermeasure Cookie protection + + Cookies can be signed Cookies can be encrypted. Information leakage + Cloaking filter, outgoing pages can be cleaned (error messages, comments, undesirable information). Session fixation = Can be prevented if the WAF manages the sessions itself File upload + Virus check (generally via external systems) SSL + SSL connection possible from WAF to application. Cross-site tracing + Restriction of the HTTP method HTTP request smuggling + Is prevented via strict testing of the conformity to standards of each request.
ATTACKS PREVENTED BY WEB APPLICATION FIREWALL  SQL INJECTION  CROSS-SITE SCRIPTING (XSS)  DOS ATTACKS AND DDOS ATTACKS  SESSION HIJACKING ATTACKS 14
SQL INJECTION  A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.  A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS).  SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system  SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces 15
CROSS-SITE SCRIPTING (XSS)  Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.  XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.  Cross-Site Scripting (XSS) attacks occur when Data enters a Web application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to a web user without being validated for malicious content. 16
CROSS-SITE SCRIPT ATTACK Example 17
DOS ATTACKS AND DDOS ATTACKS  The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.  Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in order to access critical information or execute commands on the server.  Denial-of-service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. 18
HOW DOS ATTACKS PERPETRATED?  A DoS attack can be perpetrated in a number of ways:  Consumption of computational resources, such as bandwidth, memory, disk space, or processor time.  Disruption of configuration information, such as routing information.  Disruption of state information, such as unsolicited resetting of TCP sessions.  Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. 19
SESSION HIJACKING ATTACKS  The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections.  The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.  The session token could be compromised in different ways : Predictable session token Session Sniffing Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc) Man-in-the-middle attack Man-in-the-browser attack 20
21 THREE PROTECTION STRATEGIES 1. External patching  Also known as "just-in-time patching" or "virtual patching"). 1. Negative security model  Looking for bad stuff.  Typically used for Web Intrusion Detection.  Easy to start with but difficult to get right. 1. Positive security model  Verifying input is correct.  Usually automated, but very difficult to get right with applications that change.  It's very good but you need to set your expectations accordingly.
Thank you! Download this presentation from Questions? 22

More Related Content

UTM Unified Threat Management

  • 1. STUDY AND IMPLEMENTATION OF UNIFIED THREAT MANAGEMENT AND WEB APPLICATION FIREWALL UNDERTAKEN AT Defence Research and Development Organisation (DRDO) By: Lokesh Sharma ECE (1222531042) 1
  • 2. Internal threats  Identity theft  Data loss  Data deletion  Data modification External threats  Worms  Malicious code  Virus  Malware Social Engineering threats  Spam  Phishing  Pharming  Data theft  DoS attacks  Hacking USER Attack on Organization User – The Weakest Security Link 2
  • 3. Why is this an issue?  Traditional firewalls cannot detect these new applications they rely on port numbers or protocol identifiers to recognize and categorize network traffic and to enforce policies related to such traffic  Apps that use specific port numbers or protocols make it easy for network administrators to block unwanted traffic, but browser-based applications often use only two port numbers, each associated with a protocol vital to user productivity and responsible for the bulk of Internet traffic today  This means that all traffic from browser-based apps looks exactly the same to traditional firewalls; they can’t differentiate between applications, so there is no easy way to block bad, unwanted, or inappropriate programs whilst permitting desirable or necessary apps to proceed unhindered 3
  • 4. Unified Threat Management (UTM)  Unified threat management (UTM) is an approach to security management that allows an administrator to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console. • UTM delivers a flexible, future-ready solution to meet the challenges of today’s networking environments. • UTMs represent all-in-one security appliances that carry a variety of security capabilities including firewall, VPN, gateway anti-virus, gateway anti-spam, intrusion prevention, content filtering, bandwidth management, application control and centralized reporting as basic features. • The UTM has a customized OS holding all the security features at one place. 4
  • 5. UTM The best UTM solutions include the following core security functions: Network firewalls perform stateful packet inspection IPS detects and blocks intrusions and certain attacks Application control provides visibility and control of application behaviour and content VPN enables secure remote access to networks Web filtering halts access to malicious, inappropriate, or questionable websites and online content IPv6 support in all network security functions protects networks as they migrate from IPv4 to IPv6 Support for virtualized environments, both virtual domains and virtual appliances 5
  • 6. Servers Firewalls IPS (Intrusion Protection System) Switches Routers Modem Applications Desktop systems Logs & Events Identity Logging Reporting Compliance Management Forensic Analysis Data Protection Security Management 6
  • 7. UTM vs. NGFW  The difference between UTMs and NGFWs is actually minimal. The only tangible difference that may be found involves their respective throughput ratings; devices marketed as UTMs typically have a lower throughput rating and are marketed to small and medium-sized businesses, while devices that maintain a higher throughput rating are typically marketed as NGFWs. In terms of functionality, the two devices are almost carbon copies.  NGFW NGFWs were designed to perform intrusion prevention and deep packet inspection while many of the other features mentioned above were offloaded to other devices to conserve network throughput and thereby better serve an enterprise network. More recently, NGFWs added application firewall features, a dynamic new capability that in many cases has allowed enterprises to consolidate and use a single device to protect their applications and core networks. At present, however, multi-Gigabit LAN speeds are commonplace, and the need for a device that only performs certain NGFW functions has become obsolete. 7
  • 8. Key Features & Capabilities of UTM  The standard and Next-Generation Network Firewall (NGFS) functions include: • The ability to track and maintain state information for communications to determine the source and purpose of network communications. • The ability to allow or block traffic based on configured policy (which can be integrated with the state information). • The ability to perform Network Address Translation (NAT) and Port Address Translation(PAT). • The ability to perform application aware network traffic scanning, tracking and control. • The ability to optimize a network connection (i.e. using TCP optimization). 8
  • 9. Advantages of Using a Unified Threat Management • Less Complexity- The all-in-one approach simplifies several things, such as product integration, product selection and ongoing support. • Ease of Deployment- As lesser human intervention is required, it is easy to install and maintain. One can get the product installed by finding a reputed vendor online. • The Black Box Approach- Users have a habit of playing with things. Here, the black box approach puts a restriction on the damage that users can cause. This diminishes trouble and enhances network security. • Integration Capabilities- The appliances can be distributed easily at remote sites. In such a scenario, a plug and play device can be set up and handled remotely. This type of management is interactive with firewalls that are software- based. 9
  • 10. Disadvantages of Unified Threat Management  Lower performance  Single point of failure.  Vendor lock-in.  Difficult to scale in large environments.  Limited feature set compared to point product alternatives. 10
  • 11. 11
  • 12. WEB APPLICATION FIREWALL  A web application firewall (WAF) is an appliance, server plug-in, or filter that applies a set of rules to an HTTP conversation. The effort to perform this customization can be significant and needs to be maintained as the application is modified.  Web application firewall is a computer networking firewall operating at the application layer of a protocol stack and is also known as a proxy-based or reverse-proxy firewall.  WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code. 12
  • 13. 13 Problem WAF Countermeasure Cookie protection + + Cookies can be signed Cookies can be encrypted. Information leakage + Cloaking filter, outgoing pages can be cleaned (error messages, comments, undesirable information). Session fixation = Can be prevented if the WAF manages the sessions itself File upload + Virus check (generally via external systems) SSL + SSL connection possible from WAF to application. Cross-site tracing + Restriction of the HTTP method HTTP request smuggling + Is prevented via strict testing of the conformity to standards of each request.
  • 14. ATTACKS PREVENTED BY WEB APPLICATION FIREWALL  SQL INJECTION  CROSS-SITE SCRIPTING (XSS)  DOS ATTACKS AND DDOS ATTACKS  SESSION HIJACKING ATTACKS 14
  • 15. SQL INJECTION  A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.  A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS).  SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system  SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces 15
  • 16. CROSS-SITE SCRIPTING (XSS)  Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.  XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.  Cross-Site Scripting (XSS) attacks occur when Data enters a Web application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to a web user without being validated for malicious content. 16
  • 18. DOS ATTACKS AND DDOS ATTACKS  The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.  Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in order to access critical information or execute commands on the server.  Denial-of-service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. 18
  • 19. HOW DOS ATTACKS PERPETRATED?  A DoS attack can be perpetrated in a number of ways:  Consumption of computational resources, such as bandwidth, memory, disk space, or processor time.  Disruption of configuration information, such as routing information.  Disruption of state information, such as unsolicited resetting of TCP sessions.  Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. 19
  • 20. SESSION HIJACKING ATTACKS  The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections.  The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.  The session token could be compromised in different ways : Predictable session token Session Sniffing Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc) Man-in-the-middle attack Man-in-the-browser attack 20
  • 21. 21 THREE PROTECTION STRATEGIES 1. External patching  Also known as "just-in-time patching" or "virtual patching"). 1. Negative security model  Looking for bad stuff.  Typically used for Web Intrusion Detection.  Easy to start with but difficult to get right. 1. Positive security model  Verifying input is correct.  Usually automated, but very difficult to get right with applications that change.  It's very good but you need to set your expectations accordingly.
  • 22. Thank you! Download this presentation from Questions? 22