Security Products & Research for Campus Networks
Erik G. Mettala, Ph.D.
Vice President, Network Associates Laboratories
Proprietary
Summary
• Problems with malicious activity are
increasing
• Products are available to solve some of the
problems
• Research must be focused to keep up with and
eventually get ahead of problems
• Partnership among government, industry, and
academia is the solution
Proprietary
Page 1, 10/7/2015
Network Incidents are Increasing
Network Incidents Reported
2003 (Est)
2002
2001
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
1990
Network
Incidents
Reported
1989
180000
160000
140000
120000
100000
80000
60000
40000
20000
0
Source: CMU Computer Emergency Response Team
Proprietary
Page 2, 10/7/2015
Application Vulnerabilities are Increasing
Vulnerabilities Reported
2003 (Est)
2002
2001
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
1990
Vulnerabilities
Reported
1989
4500
4000
3500
3000
2500
2000
1500
1000
500
0
Source: CMU Computer Emergency Response Team
Proprietary
Page 3, 10/7/2015
Machines Infected per Hour at Peak
100,000
80,000
D
e
v
i
c
e
s
I
n
f
e
c
t
e
d
60,000
40,000
20,000
0
Code Red
Nimda
Goner
Slammer
2,777
6,250
12,500
100,000
Malicious Agent
Source: McAfee AVERT
Proprietary
Page 4, 10/7/2015
The Speed Of Attack Accelerates:
Slammer Goes Global In 3 Minutes
Proprietary
Page 5, 10/7/2015
Companies Are Becoming More Porous,
Susceptible to War Driving
• Web services applications
under development by
98% of large enterprises
• 70 % of WiFi networks are
not secure
• 50M telecommuters
• 500 million Smart Phones
by 2006
Proprietary
Page 6, 10/7/2015
Network Associates Strategy
Intrusion Protection
Host
Defense
System
Desktop Security
SPAM & Content Filtering
Network
Defense
System
Network Intrusion
Detection
Service Desk
Network
Optimization
Anti-Virus
Fault Identification
Proprietary
Page 7, 10/7/2015
Manage
Remediation
Product Extensions and New Markets
System Network
Defense Defense
Existing
Market
New
Line
New Market
Proprietary
Page 8, 10/7/2015
The Network Associates® Security Portfolio
Network Associates
Complete Threat Protection
System Protection
Solutions
Network Protection
Solutions
– Anti Virus - McAfee® AntiVirus #1 in
corporate usage, now with online solutions
for employee and partner usage
– Network Intrusion Prevention –
McAfee® IntruShield blocks at gigabit
speeds
– Enterprise Spam – McAfee® SpamKiller –
Exchange & gateway products
– Security Forensics – InfiniStream™
Security Forensics high speed collection
& analysis
– Host Intrusion Prevention – McAfee®
Entercept stopped Slammer in production
networks
– Policy Enforcement – ePO 1 hour global
react time. Rogue machine under
development.
Proprietary
Page 9, 10/7/2015
– Network Instrumentation - Sniffer®
Network Protection Architecture
– Network and Application Management nPO™ Solution
Protection Against New & Known Attacks
Policy Enforcement & Remediation
Proprietary
Page 10, 10/7/2015
Host Intrusion
Prevention
Anti-Virus
Network Intrusion
Prevention
Anti-Spam/
Content Filtering
Forensic Analysis
System Protection Solutions
NetShield
VirusScan
ASaP
VirusScan
ASaP
SpamKiller
Enterprise
WebShield
VirusScan
ThreatScan
VirusScan
Desktop
Firewall
GroupShield
ePO
SpamKiller
Desktop
Firewall
SpamKiller
Proprietary
Page 11, 10/7/2015
McAfee VirusScan - Desktop & Server
• Windows NT4.0/XP/2000, Windows Server
NT4.0/2000/2003 plus Cellera & Citrix
– On-Access, On-demand, Scheduled, Memory, & Email Scanning
• Centralized Management and Graphical Reporting
– ePolicy Orchestrator including 3.0 support
• Sophisticated Automatic Updating
– AutoUpdate via http, ftp, UNC share, local or mapped drives
– Incremental DAT’s, full DATs, engine updates, Extra.DATs, service
packs, or hot-fixes
– Resumable updating
• Extensive Language Support
– 13 Languages
– Microsoft Multilingual User interface (MUI) support
Proprietary
Page 12, 10/7/2015
McAfee SpamKiller
• Rules-Based Scanning and Scoring, 650+ Rules
• 5 protection levels:
– Integrity analysis - Examines the header, layout and
organization of each email message, to identify the
common characteristics of spam
– Heuristic Detection - Many rules are automated
based on known spam characteristics
– Content Filtering - Detects keywords and phrases
– Black and White Lists - A Whitelist defines
acceptable senders of email; A Blacklist defines
unwanted and unacceptable senders of email
– Self Tuning - Adjusts the spam score for senders who
have been previously accepted senders of legitimate
email
Proprietary
Page 13, 10/7/2015
Entercept Host Intrusion Protection
• Host-based intrusion protection software
that implements
– Signature-based detection
– Anomaly-based detection
– Behavior-based detection
Proprietary
Page 14, 10/7/2015
Entercept Host Intrusion Protection
Proprietary
Page 15, 10/7/2015
ePolicy Orchestrator
• Centralized control & visibility of malicious code defenses
• Deploy & maintain updated protection
– Update 50,000 devices in less than one hour
– Distribute weekly/emergency DATS, engines, SPs,
Hot fixes, Extra.Dats, patches
– Identify and protect new devices and machines
• Configure & enforce policies centrally
– Lock down & automate your policy
– Customize policy to combat new threats
– Coordinate defenses for blended threats
• Monitor activity with total visibility
–
–
–
–
Proprietary
Am I protected? Am I infected?
View key one page executive summaries
Track an outbreak to its source
Initiate and report on viral vulnerability scans
Page 16, 10/7/2015
McAfee Security AVERTAnti-Virus Emergency Response Team
• Leading AV research team w/ 50 years
combined experience
• Global presence
• 365 days/year, 7 days/week, 24 hours/day!
• Advanced virus analysis and research
• Leading-edge anti-virus services
• Driving scan engine development
Proprietary
Page 17, 10/7/2015
Network Protection Solutions
Sniffer
Wireless
Proprietary
Page 18, 10/7/2015
IntruVert Network Intrusion Prevention
Industry’s first real-time network intrusion prevention
against known, unknown and DoS attacks
Proprietary
Page 19, 10/7/2015
IntruVert Network Intrusion Prevention
Proprietary
Page 20, 10/7/2015
IntruShield: Next Generation IDS
• Accurate detection and real-time prevention
• Unprecedented Intrusion Intelligence
• Comprehensive integrated protection
– Advanced signature, Anomaly, DoS detection
• Scalability and deployment flexibility
– In-line, Tap, SPAN, Port clustering, High Availability
• Delivers Security Return on Investment (ROI)
Proprietary
Page 21, 10/7/2015
InfiniStream Security Forensics
• Network traffic forensic software based on Traxis
stream-to-disk technology
• Continuously capture and store network traffic
• Stores up to 2.5 days of traffic at gigabit speeds in 2.7
TeraBytes of storage
• Reconstruct, replay, and investigate specific events,
such as security breaches and network slowdowns
• Allows in-depth understanding of the root cause of
costly problems to prevent them from happening
again
Proprietary
Page 22, 10/7/2015
Sniffer Technologies
• Network Instrumentation - Sniffer® Network Protection
Architecture
• Expert Analysis in the Field - Sniffer® Portable
• Protocol Analysis in a Single Network Appliance - Sniffer®
Distributed
• Manage wireless LAN 802.11b environments - Sniffer®
Wireless
• Analyze Voice/Data convergence - Sniffer® Voice Over IP
• Small Business Network Analysis - Sniffer® Investigator
• Network and Application Management - nPO™ Solution
Proprietary
Page 23, 10/7/2015
The Intrusion Protection Challenge
• Intrusion Protection technologies are nascent in
nature
• Intrusion protection is addressing a fundamentally
hard, if not intractable problem
• Regardless of the difficulty, the need remains high
• Requires substantial R&D partnership among
government, industry, and academia
Proprietary
Page 24, 10/7/2015
Network Associates Laboratories
• Vision
– To be internationally recognized as the leading
authority in intrusion protection research
• Mission
– To conduct fundamental and applied research
and to develop prototype applications that
provide highly accurate, highly automated
approaches to computer and network security
and response
Proprietary
Page 25, 10/7/2015
Network Associates Labs Organization
and Projects
HIP
NIP
Host
Intrusion
Protection
Trusted BSD
SELinux
Wrappers
SHIM
Windows
Palm OS
WinCE
Proprietary
MCD
SPM
HPAF
TAVA
Network
Wireless
Intrusion
Intrusion
Protection Protection
Malicious
Code
Defense
Security
Policy &
Mgmt
High
Performance
Assurance &
Forensics
Threats,
Attacks,
Vulnerabilities
& Architectures
IDIP/CITRA
ANIDR
NetBouncer
FloodWatch
CORBA
Java RMI
ITDOS
DoS
DDoS
Worms
Anti-Spam
RBAC
TBAC
TMAC
CBAC
ABAC
GINSU
Sniffer IXP
Metrics
De-Worm
SPMA
SADD
Spice
IDioM
IDMANET
Page 26, 10/7/2015
WIP
802.11b
HESSI
TWNA
Sequoia
3RG
Semantic
Processor
Windows
Palm OS
WinCE
Mapping Labs RGs to BU Strategy
Intrusion Protection
HIP
Host
Defense
System
NIP
WIP
Desktop Security
MCD
SPAM & Content
Filtering
SPM
Manage
Remediation
Network
Intrusion
Detection
Network
Optimization
Anti-Virus
HPAF
Fault Identification
TAVA
Proprietary
Network
Defense
System
Page 27, 10/7/2015
Service Desk
Host Intrusion Protection
Current Products
Large Enterprises (> 2000)
• McAfee VirusScan
• Groupshield
• ePolicy Orchestrator • WebShield
• Entercept IDS
• SpamKiller
• E-Business Server
Medium Enterprises (251-2000)
• McAfee VirusScan
• Groupshield
• ePolicy Orchestrator • WebShield
• Entercept IDS
• SpamKiller
• E-Business Server
Small Business (< 251)
• McAfee VirusScan
• ePolicy Orchestrator
• Entercept IDS
Consumers
• McAfee VirusScan
• McAfee SpamKiller
• McAfee Personal Firewall
Proprietary
Page 28, 10/7/2015
Current Research
• Host-based security and intrusion
prevention from the operating system out
• Automatic and highly accurate intrusion:
– Identification, detection, impact,
response, forensics, remediation and
incident management
• Open source secure operating systems and
boot loaders
– Trusted BSD (5.0)
– Security Enhanced Linux
• Generic software wrappers
• Secure Windows systems
– X-Windows
– MS Windows
• Secure Middleware programs
– FTP, SMTP, HTTP, CORBA
Host Intrusion Protection
BU Research
Government Research
Operating Systems
• e500 Linux platform security evaluation
• Sniffer re-hosting
Operating Systems
• Trusted BSD Framework
• Security Enhanced Linux
Intrusion Protection
• Response and Remediation
Intrusion Protection
• Guaranteed Internet stack utilization
(GINSU)
• Generic software wrappers
• System health and intrusion monitoring
(SHIM)
Security Engineering
• Porting and testing for VirusScan engine
OEM customers
Security Engineering
• Commercial OS audit facilities
Proprietary
Page 29, 10/7/2015
Network Intrusion Protection
Current Products
Large Enterprises (> 2000)
• NetShield
• Sniffer nPO
• e500/e1000
• Sniffer Distributed
• IntruShield
• Sniffer Portable
Network IDS
• Infinistream Forensics
Medium Enterprises (250-2000)
• Sniffer nPO
• NetShield
• Sniffer Distributed
• e250
• Sniffer Portable
• IntruShield
• Sniffer Wireless
Network IDS
Small Business (< 250)
• Sniffer Portable
• Sniffer Wireless
• IntruShield Network IDS
Consumers
• McAfee Personal Firewall
Proprietary
Page 30, 10/7/2015
Current Research
• Preventing intrusions from entering and
traversing wired and wireless networks
– Analyzing, interpreting, filtering, and shaping
network traffic, and
– Rapidly coordinating other defensive actions on
hosts, gateways, network monitors,
management components, and specialized
security devices
• Components and protocols focused on
network devices and protocols
– Coordinated intrusion traceback and response
architectures and protocols for large
enterprises
– QoS and intrusion detection/correlation in
wired and wireless networks, e.g., MANETs
– Mobile-code-based network security
components
– DDoS and worm defense
– Protocol interpretation and filtering in
monitoring devices and security gateways such
as firewalls, routers, switches, and guards
Network Intrusion Protection
BU Research
Government Research
Coordinated Analysis
• End-Host Corroboration IR&D
Coordinated Action
• Intrusion Detection Interface Protocol(IDIP),
CITRA/IDIP
• Adaptive Network Intrusion Detection &
Response (AN-IDR)
• Intrusion Detection in Mobile Ad Hoc Nets
(ID MANET)
• Dynamic Quarantine (DQ)
Network Traffic
•
Custom ICA proxy for Gauntlet firewall
•
SSL Transparency IR&D
•
Web Services Security Study IR&D
•
.NET Monitoring and Filtering IR&D
Network Traffic
• NetBouncer
• DDOS Tolerant Networks (FloodWatch)
• Security and QoS in MANETs (SEQUOIA)
• IIOP Interpreter
Security Engineering
• Intrusion Blocker for Cable/DSL Routers
• Sniffer SRM Security Study
• ePO vs. SEMS Analysis IR&D
Security Engineering
• DDoS Testbed Study
• OASIS Dem / Val
Proprietary
Page 31, 10/7/2015
Wireless Intrusion Protection
Current Products
Large Enterprises (> 2000)
• Sniffer Mobile
• VirusScan for PDAs
• Sniffer Wireless
• VirusScan Mobile
• Infinistream Forensics • ePO for Wireless
Medium Enterprises (250-2000)
• Sniffer Mobile
• VirusScan for PDAs
• VirusScan Mobile
• Sniffer Wireless
• Infinistream Forensics • ePO for Wireless
Small Business (< 250)
• Sniffer Mobile
• VirusScan for PDAs
• Sniffer Wireless
• VirusScan Mobile
• Infinistream Forensics • ePO for Wireless
Consumers
• McAfee VirusScan for PDAs
Proprietary
Page 32, 10/7/2015
Current Research
• Research, analyze, study, and
develop solutions for security
issues in emerging wireless
protocols
– 802.11 Security
• Apply cryptographic technologies
to security issues in wireless
protocols
– Techniques for the physical and link
levels
– Ad-hoc wireless security
– Low energy cryptographic techniques
– Low bandwidth cryptographic protocols
– Efficient key management
Wireless Intrusion Protection
BU Research
Government Research
Wireless Security
• 2.5G / 3G Wireless Security Study IR&D
Wireless Security
• 802.11 security
Wireless Security Engineering
• Secure Access Point (SAP)
Wireless Mobile Ad-Hoc Networks (MANETs)
• Identity-based Group Key Management
• Message Authentication Streams
• Joint Iterative Decoding and Authentication
• MANET Routing Protocol Security
• Intrusion Detection for MANETs
Proprietary
Page 33, 10/7/2015
Malicious Code Defense
Current Products
Large Enterprises (> 2000)
• McAfee VirusScan
• ePolicy Orchestrator
• Entercept IDS
• McAfee SpamKiller
Medium Enterprises (250-2000)
• McAfee VirusScan
• ePolicy Orchestrator
• Entercept IDS
• McAfee SpamKiller
Small Business (< 250)
• McAfee VirusScan
• ePolicy Orchestrator
• Entercept IDS
• McAfee SpamKiller
Consumers
• McAfee AntiVirus
• McAfee Personal Firewall
• McAfee SpamKiller
Proprietary
Page 34, 10/7/2015
Current Research
• Stop malicious code from damaging
computers and networks, and maintain
system availability while under attack
• Research strategy:
– Know the attackers’ methods
– Recognize attacks when they occur
– Prevent or limit the damage from the
attacks
– Operate through the attacks
– Put the research to use
• Research areas:
– Malware technology and trends
– Formal models of malicious code
– Next-generation malicious code
detection
– Zero-day worm detection and
containment
– Comprehensive malware scanning
– Intrusion tolerance and selfregeneration
– SPAM detection and blocking
– Source attribution
Malicious Code Defense
BU Research
Government Research
Malicious Code Detection & Response
• Jigsaw-based Correlation IR&D
Malicious Code Detection & Response
• Mission-Aware Rapid Quarantine for
Enterprise Environments (MARQUEE)
• Malware technology and trends
• Formal models of malicious code
Anti-Spam
• Steganographic Analysis of Metamorphic Virii
• Advanced Anti-spam Detection Techniques
• Detecting & Washing Stego Images
Malicious Code Engineering
• Secure Protected Development Repository
(SPDR)
• State-of-the-Art in Decompilation and
Disassembly (SADD)
Proprietary
Page 35, 10/7/2015
Security Policy & Management
Current Products
Large Enterprises (> 2000)
• McAfee ePolicy Orchestrator (ePO)
• Sniffer nPO Manager
• Sniffer nPO Visualizer
• IntruVert Security Manager (ISM)
Medium Enterprises (250-2000)
• McAfee ePolicy Orchestrator (ePO)
• Sniffer nPO Manager
• Sniffer nPO Visualizer
• IntruVert Security Manager (ISM)
Small Business (< 250)
• McAfee ePolicy Orchestrator (ePO)
• Sniffer nPO Manager
• Sniffer nPO Visualizer
• IntruVert Security Manager (ISM)
Consumers
• McAfee VirusScan
• McAfee Personal Firewall
• McAfee SpamKiller
Proprietary
Page 36, 10/7/2015
Current Research
• Efficient & manageable security policy
solutions
• Investigate, implement and validate
mechanisms that support distributed
security policy
– Authoring,
– Distribution,
– Enforcement, and
– Management
• Component mechanisms supporting
security policy and management systems
– Access Control Techniques and
Mechanisms
– Policy Definition Languages
Security Policy & Management
BU Research
Security Policy Management
• Policy Conflict & Compromise IR&D
• Policy Expansion & Propagation IR&D
Government Research
Security Policy Management
• Security policy configuration and
enforcement across different platforms and
mechanisms
• High-level security policy definition and
specification
Access Controls
• Attribute-based Access Control (ABAC)
• Role-based Access Control (RBAC)
• Team-based Access Control (TBAC)
• Coalition-based Access Control (CBAC)
Proprietary
Page 37, 10/7/2015
High-Performance Assurance & Forensics
Current Products
Large Enterprises (> 2000)
• Sniffer Distributed
• Sniffer Portable
• Infinistream
• Cyprus 6040
Medium Enterprises (250-2000)
• Sniffer Distributed
• Sniffer Portable
• Infinistream
Small Business (< 250)
• Sniffer Distributed
• Sniffer Portable
• Infinistream
Consumers
Proprietary
Page 38, 10/7/2015
Current Research
• High-performance appliances
– System architecture design and
implementation trade-offs
– Packet classification, content
inspection, and semantic processing
– Techniques for improving the speed and
accuracy of Anti-Virus, Anti-Worm, AntiSpam, IDS/IPS, Sniffer, and network
capacity planning and management
– Network processors, high-bandwidth
wireless networks, and storage area nets
• Forensic analysis and situation assessment
– Data mining, data collection, reduction,
and normalization
– Machine learning algorithms and
applications
– Visualization techniques
– Techniques to improve the speed,
accuracy and understanding of data
aggregation, information processing and
decision-making, and presentation
– Domain-specific application analysis and
information gathering
High-Performance Assurance & Forensics
BU Research
Government Research
High-performance Appliances
• Sniffer IXP
• Stream-to-disk (STD) study IR&D
High-performance Appliances
• NetBouncer
• Active Network – Intrusion Detection and
Response (AN-IDR)
• FloodWatch
Security Evaluation
• Sniffer 6040 Security Evaluation
• Sniffer Infinistream Security Evaluation
Proprietary
Page 39, 10/7/2015
Threats, Attacks, Vulnerabilities and
Architectures
Current Products
Large Enterprises (> 2000)
• McAfee VirusScan, ThreatScan, ePolicy
Orchestrator, SpamKiller
• Entercept IDS
• Intruvert IntruShield
Medium Enterprises (250-2000)
• McAfee VirusScan, ThreatScan, ePolicy
Orchestrator, SpamKiller
• Entercept IDS
• Intruvert IntruShield
Small Business (< 250)
• McAfee VirusScan, ThreatScan, ePolicy
Orchestrator, SpamKiller
• Entercept IDS
• Intruvert IntruShield
Consumers
• McAfee VirusScan, ThreatScan, SpamKiller
Proprietary
Page 40, 10/7/2015
Current Research
• Identification and characterization
through models, taxonomies, patterns,
and representational tools
– Threats to our security systems including
hackers, spies, terrorists, vandals, military
forces, etc.
– Attack mechanisms by which threats target
our systems, networks, and information
infrastructure including study of
preconditions and dependencies
– System, network, and application
vulnerabilities by which security objectives
are compromised -- their origin, properties,
manifestation in software and hardware,
and remediation
• Architectural strategies and solutions to
counter potential security threats
– Both novel and those resulting from the
integration of current technologies
• Metrics, measurement techniques, and
probabilistic techniques by which the
effectiveness of specific security solutions
and the composition of security solutions
may be characterized and differentiated
Threats, Attacks, Vulnerabilities and
Architectures
BU Research
Government Research
Future Threats
• AVERT
• Network Associates Labs
• Entercept
• InruVert
Security Metrics Seedlings
• Metrics for Key Management Systems
• Measuring Assurance in Cyberspace
• Unifying Threat, Attack, & Vulnerability
Taxonomies
Virus Threats
• AVERT
Other
• Security Patterns
Proprietary
Page 41, 10/7/2015
Our Customers and Partners
Our customers and partners include Government agencies, leading
technology corporations, and leading universities
Proprietary
Page 42, 10/7/2015
Emerging Technology Partnership
• Network Associates Laboratories is seeking
partners with whom to deploy emerging
intrusion protection technologies in
operational environments to support
assessment
• We actively seek teaming relationships with
leading-edge, university-based information
security researchers
Proprietary
Page 43, 10/7/2015
Summary
• Problems with malicious activity are
increasing
• Products are available to solve some of the
problems
• Research must be focused to keep up with and
eventually get ahead of problems
• Partnership among government, industry, and
academia is the solution
Proprietary
Page 44, 10/7/2015
Questions?
Proprietary
Page 45, 10/7/2015
Descargar

Internet2