McAfee Firewall Enterprise: The only Firewall with the Intelligence to Continuously, Automatically Reduce the Risk and Threat Exposure of Your Network

Transcription

1 : The only Firewall with the Intelligence to Continuously, Automatically Reduce the Risk and Threat Exposure of Your Network Reputation filtering with TrustedSource and Geo-Location costeffectively minimizes the attack surface area of your network

2 Table of Contents Introduction 3 Shrinking Your Internet Exposure Geographically 3 Introducing s Geo-Location 3 Geo-Location technology reduces network traffic 4 Geo-Location reduces attack exposure 4 Shrinking Internet Exposure with Reputation Technology 4 TrustedSource global reputation intelligence 4 Identify a remote employee PC that has been compromised 6 Block access to rogue DNS servers and discover infected machines on your network 7 Shrinking Your Internet Exposure with Geo-Location and Reputation 7 TrustedSource and Geo-Location provide the ultimate flexibility you need for on-network and remote access 7 Securing access for traveling employees 8 Banking system protection 8 Substantially enhanced category-based web filtering 9 One More Note on Flexibility 10 Conclusion 10 About 10 About McAfee 10

3 Blended Threats are Becoming Commonplace Blended threats combine multiple threat vectors to maximize the severity of damage and speed of infection. For example, they might combine some characteristics of viruses and worms to exploit vulnerabilities in computers, networks, or other physical systems. A single attack might distribute a self-replicating virus-worm hybrid via , while also infiltrating a web server to infect all visitors to a target website. The conventional blacklists and reactive, signature-only technologies used in most firewall security products are incapable of identifying and defeating these sophisticated attacks. Introduction The scary statistics about increasing risks to your network are out there. They are in every single network security vendor s whitepapers. We won t bore you with all that. You know it, you live it. So let s get right to the point about how we can help empower your organization with McAfee Firewall Enterprise (Sidewinder ). is the only Firewall that today offers an automated, continuous way to reduce the risk and threat exposure of your network. This paper focuses on two new technologies that let you dramatically shrink your network risk exposure by limiting your organization s Internet connections and traffic to only the good or required trusted zones for your business needs. Moreover, these technologies further reduce your risk by applying reputation intelligence and other more conventional security technologies and practices to the remaining traffic. You will learn totally new ways these technologies protect networks from Internet risks and threats, while providing dramatically more flexible access and bandwidth maximization. If that sounds good, then read on. Shrinking Your Internet Exposure Geographically Most companies don t do business with every country in the world, but an Internet connection exposes your network to unsolicited, unwanted, and dangerous traffic from any point on the globe, including its most dangerous neighborhoods. It also gives your employees access to applications and servers in those very same geographical areas including many that harbor malware. What if there was a technology that allows you to quickly choose the geographic locations of all inbound and outbound connections and at the same time deny those coming from outside the areas where you didn t conduct business? Would that reduce your risk? Would that reduce your workload? Introducing s Geo-Location McAfee Firewall Enterprise Geo-Location is an innovative technology that enables organizations to block or allow connections based on firewall policies and country code information (see Figure 1). Now companies can choose which countries to receive connections from, as well as which locations their employees can initiate connections to. is the first and only firewall to reduce the risk of attack by shrinking geographic Internet exposure to only those geographical areas deemed relatively safe. Geo-Location filters access requests using our constantly updated database that associates every IP address on the Internet with a country code. This advanced functionality lets you block locations outright, or apply additional security measures such as in-depth application filtering, IPS, and anti-virus filtering. Geo-Location is available on all appliance models. Figure 1: Geo-Location dramatically saves bandwidth and reduces your exposure to attack by allowing or denying traffic based on country code. It s included on all appliance models. 3

4 Geo-Location allows organizations to control access from countries they don t do business with, as well as countries that are known originators of malicious hacking. While no geography is immune from malicious traffic, there are several hotbed areas with much higher concentrations of malicious propagation. A June 4, 2008 report from the Associated Press 1 identified the domains with the highest and lowest concentrations of risky sites. In the riskiest they found that between 11.8 percent and 19.2 percent of the websites surveyed were potentially dangerous to visitors. If an organization doesn t do business in such high-risk locations there is absolutely no reason to expose your network to them. IDC Weighs in on McAfee Firewall Enterprise s Geo-Location Technology Threat and traffic reduction are mutually desirable outcomes. Because unwanted and malicious traffic often comes from certain geographic regions where customers have no legitimate business interests, managing that traffic can reduce threats, improve security, and potentially lower the costs of mail archiving, compliance, ediscovery, and other IT activities. Geo-Location technology potentially provides these benefits by allowing enterprises to filter connections at the firewall perimeter based on the country location. This control, in conjunction with TrustedSource reputation filtering, can provide a heightened layer of protection. These capabilities are greatly expanding what network security devices can do, which is part of the growing trend for Extensible Threat Management (XTM). 1 Charles Kolodgy, IDC research director Geo-Location technology reduces network traffic Most organizations on the Internet today, including some of the world s largest, only have offices and employees in a handful of countries. So if you only do business in five or 10 countries, why not reduce network bandwidth by limiting the number of countries with which you allow Internet connections? You will conserve processing power for traffic you value, and you won t be under regulatory obligation to store massive quantities of unwanted for years. Geo-Location reduces attack exposure Limiting Internet access by country not only saves bandwidth, it dramatically reduces the risk of security breaches to your network, including Internet-facing applications and remote access servers. If all your offices, operations, and employees are in ten countries, why not set your firewall policy to block the remaining 185 to reduce the unnecessary risk of compromise? For government or critical infrastructure organizations at any level, Geo-Location filtering has even greater benefit, because these types of organizations typically only service the citizens in a specific country or region, and can easily legitimize a policy to block access outside that region. A government defense agency, for instance, could create a group of countries based on military alliances, and only allow connections resources to members of that group. Shrinking Internet Exposure with Reputation Technology Even in safe geographical area neighborhoods, there are those with malicious intent, ready to take advantage of the unsuspecting and unprotected. In the cyber world these entities are the increasingly organized cyber criminals and hackers that seek to damage your organization for profit. The best defense would be to identify the dangerous entity before it could attack. McAfee is the first to empower you with a more intelligent view of the characters at the other end of every Internet connection. TrustedSource global reputation intelligence But now that Geo-Location lets you restrict traffic to only the Internet neighborhoods you want and need, how do you avoid the cyber criminals lurking in those good neighborhoods? What if you could know whether an entity (a site or PC on the Internet) is good or bad, even if you ve never seen it before? McAfee TrustedSource technology, the industry s first and leading reputation system, sets a new standard for proactive threat detection. This real-time, in-the-cloud service knows the behavior history of virtually every Internet entity, and whether or not it s worth the bandwidth and risk of allowing it on your network (see Figure 2). TrustedSource is a new paradigm in protection because it continuously evaluates traffic against a realtime global reputation metric, not a static set of known bad definitions stored in the firewall

5 McAfee TrustedSource Data Your Protected Network Senders, Hosts (PCs, servers) Good Reputation Request Response Bad Reputation Powered by TrustedSource Figure 2: TrustedSource technology is an in-the-cloud service that provides reputation scores via an encrypted channel to your McAfee firewalls as a basis for connection risk assessment. TrustedSource offers real-time protection by proactively seeking out potential sources of zero-hour (unknown) attacks. Signatures (anti-virus and IPS) are great for stopping specific known attacks, and are an important part of any comprehensive firewall/gateway solution. But signature-based strategies are ineffective against new, zero-hour attacks that are morphed daily to evade defenses. TrustedSource actively looks for the attackers and malicious websites themselves. To use a military metaphor: it takes out the missile launcher, not the individual missiles, offering a proactive defense against zero-hour attacks, so you can avoid zombie PCs, spam, infected websites, botnets, rogue DNS servers, and more. TrustedSource works much like the credit scoring system used in the financial services industry. Every person and business is assigned a credit score based on their financial history (loans taken and repaid, payments made on time, etc.). Lenders use a potential borrower s credit score to assess loan risk and make individual credit decisions. In the cyber world, TrustedSource develops a reputation score for every Internet host and IP address by monitoring hundreds of billions of daily Internet transactions with tens of thousands of sensors worldwide. That score is then used at the firewall to allow or deny connections between your network and individual IP addresses, stopping botnets, zombies, and blended threats in their tracks, even in their initial appearance. McAfee TrustedSource Data Remote Employee GOOD to NEUTRAL Reputation = Normal Web Access Policy Global IP Address Reputation Intelligence to Request Response GOOD to NEUTRAL REPUTATION Bad Reputation BAD REPUTATION Powered by TrustedSource BAD Reputation = Bad Reputation Policy and Restricts View Figure 3: TrustedSource lets you set access policy based on reputation scores. Far ahead of signatures, TrustedSource can stop an attack that has never been encountered before! 5

6 TrustedSource global intelligence is distributed to McAfee Firewall Enterprise appliances in the cloud, providing real-time protection that quickly reflects day-to-day changes in trustworthiness. Just before the 2007 Super Bowl, the Miami Dolphins website was compromised 2 with malware that infected all visitors. TrustedSource quickly knew when this usually trustworthy site was compromised, and when it was once again safe. Its correct reputation scores allowed McAfee Firewall Enterprise appliances worldwide to make good access policy decisions in real time. The TrustedSource global intelligence grid gives you the ability to stop over 70 percent of all Internet traffic at the network perimeter, reducing the load on down-stream servers, and with it your risk of attack (Figure 4). TrustedSource lets you refocus resources on legitimate connections that should be further filtered with standard firewall security tools, including anti-virus, IPS, Web filtering, and specific application-layer controls. 2 Figure 4: TrustedSource global reputation intelligence will stop over 70 percent of all traffic flooding today s networks. Included with all appliance models, it drops unwanted traffic at the perimeter to free up bandwidth and processing power, save money, and reduce risk. Identify a remote employee PC that has been compromised What happens when an authorized employee attempts to access a finance database from a home PC, an airport kiosk, or a relative s PC that s a compromised zombie? That connection will be denied not because the user s VPN or strong authentication credentials failed (which they may not), but because TrustedSource has flagged that PC as a zombie and given it a very low reputation score. TrustedSource can prevent infected PCs from compromising your network over the Internet (Figure 5). TrustedSource blocks traffic coming from a PC with a POOR reputation score even if the emplyee attempts to log on using strong authentication McAfee TrustedSource Data Your Protected Network Request Response Remote Employee on a Zombie PC with Geo-Location Figure 5: Through real-time global reputation intelligence, TrustedSource knows when to deny an employee s remote access because of a compromised PC

7 Block access to rogue DNS servers and discover infected machines on your network With laptops, USB drives, and other portable media circulating freely between your environment and other public networks, ensuring that your employees machines are free from malware is almost impossible, even with the latest anti-virus software. Ingenious new viruses and malware keep appearing with rapid-fire speed; one new variety redirects an employee web page request to a rogue DNS server on the Internet. This rogue then redirects the employee s PC to an attack site guaranteed to do further damage to that machine and your network. with TrustedSource not only blocks this type of redirect attack, but also logs that attempt so administrators can find and remediate the infected machine. (Figure 6). McAfee TrustedSource 2 Checks Reputation with TrustedSource Data Desktop User Request Response Not a legitimate Internet DNS server; designed to redirect traffic to malicious site Internet Rogue DNS 1 PC is compromised Malware redirects DNS query Redirect sends to rogue DNS server on Internet with Geo-Location 3 TrustedSource denies request Figure 6: With its reputation scores, TrustedSource can identify rogue DNS servers that redirect Internet browsers to malicious sites. TrustedSource protects employees by detecting and blocking these attackers before harm can occur. Shrinking Your Internet Exposure with Geo-Location and Reputation TrustedSource and Geo-Location provide the ultimate flexibility you need for on-network and remote access Geo-Location can be used in conjunction with TrustedSource to dramatically reduce your organization s exposure by enabling access policies that utilize a combination of country code and IP address reputation. can use TrustedSource and Geo-Location separately or together to impose firewall policy on: 1. Both inbound and outbound traffic 2. Every protocol, not just web and mail 3. A per-rule basis, providing great policy flexibility 4. In combination with proxies, granular application controls, IPS, and virus/malware signatures Geo-Location and TrustedSource are flexible options that can be tailored specifically to your business requirements (and not deployed globally in your firewall policy, unless you need them that way). Each can be applied very specifically, either separately or in combination. Figure 7 gives examples of firewall policy flexibility that can be achieved when Geo-Location and TrustedSource technology work together. The rest of this paper will give specific real-world situations to show you these benefits. 7

8 Figure 7: Get the ultimate in flexible access to traffic by using Geo-Location and TrustedSource together. Securing access for traveling employees You can use TrustedSource and Geo-Location together to enable remote access by an employee who is traveling in a country that is blocked by corporate Geo-Location policy. Your firewall policy can be modified to allow a connection request originating from a blocked country if the requesting PC has a sufficiently high reputation score. (Figure 8). McAfee TrustedSource TrustedSource allows traffic with a GOOD reputation score even if it comes from a country with a POOR reputation score. Your Protected Network Request Response Employee Country Remote Employee in Country XYZ with Geo-Location Figure 8: An employee in a country blocked via Geo-Location can be allowed access to your network with a good TrustedSource reputation score and proper authentication credentials. Banking system protection In the banking industry today, preventing phishing attacks and dealing with post-attack log-in attempts constitute a significant cost and administrative burden. With TrustedSource and Geo-Location sitting in front of your servers you can have a very granular policy that blocks or further filters authentication attempts depending on the originating location and the reputation of the host. Figure 9 shows how banks could implement a firewall policy that blocks known risky countries except when the host (PC or server) also has a good reputation. 8

9 IP Location Internet Home Region Other Known Risky Countries GOOD Reputation ALLOW ALLOW REQUIRE CHALLENGE RESPONSE IP Reputation UNKNOWN Reputation SUSPICIOUS or MALICIOUS Reputation ALLOW BLOCK REQUIRE CHALLENGE RESPONSE BLOCK BLOCK BLOCK Banking System/ Critical Application with TrustedSource and Geo-Location Figure 9: For the banking world, Geo-Location and TrustedSource have the intelligence to filter connections from hosts with poor reputations or known risky locations, thus protecting your services against phishing attempts from around the globe. Substantially enhanced category-based web filtering In the Web 2.0 world, with drive-by malware infections contaminating hundreds of thousands of web servers in just a few days, category-based web filtering doesn t provide adequate protection. A recent study by Google confirms the prevalence of malware on legitimate web sites: Google said that in its analysis of several billion URLs and an in-depth look at 4.5 million websites over a 12-month period, it discovered 450,000 sites were successfully launching drive-by downloads of malware 3, TrustedSource, and Geo-Location substantially enhance the effectiveness of category-based web filtering solutions by preventing employees from connecting to a URL or advertisement that could maliciously redirect them, even on a popular and normally trustworthy website (Figure 10). TrustedSource s real-time global intelligence knows about the infected websites and has already categorized them with a poor reputation. uses that reputation score to deny access. Geo-Location further protects your network by denying employees access to sites in blocked countries where you don t do business or that your organization has deemed as hot spots for malicious websites. Your Protected Network GOOD Reputation Firewall Policy: ALLOW ACTIVE CONTENT Allow download of.exe and.pdf GOOD Reputation for BAD Reputation for XXX with TrustedSource and Geo-Location BAD Reputation Firewall Policy: BLOCK ACTIVE CONTENT Deny ActiveX Deny JavaScript Deny.exe files Deny.pdf files Scan all content for malware Figure 10: McAfee TrustedSource and Geo-Location pick up where legacy category-based web filtering leaves off. They provide real-time reputation intelligence for dynamic Internet entities and limit geographic exposure to undesirable Internet neighborhoods

10 One More Note on Flexibility TrustedSource technology provides another avenue of flexibility to fit your organization s needs. It uses a sliding scale of confidence for the reputation score, ranging from very bad to very good. The higher a website s reputation score, the more confidence we have that the site contains malware or is conducting malicious activity. Security administrators can set up access policies based on the reputation score supplied by TrustedSource. The reputation scores TrustedSource calculates in real time are categorized as malicious, suspicious, unverified, neutral, and trusted. Category boundaries can be adjusted to fit your network needs using simple configuration options in the Admin Console. For more information on TrustedSource, visit Conclusion McAfee s Firewall Enterprise sets a new standard for proactive threat detection by integrating Geo-Location technology together with TrustedSource, the industry s first and leading global reputation system, into every one of its appliance models. These new technologies not only protect your network perimeter from external attack, they prevent internal breaches due to careless browsing by employees or contractors. In addition, they reduce an organization s risk and attack exposure, reduce the traffic normally destined for Internet-facing applications, save valuable resources, and increase network performance. The combination of TrustedSource reputation-based policy and Geo-Location country policy can be used with existing anti-virus, IPS signatures, application-layer filtering, and other firewall policies to further reduce the company s exposure and prevent attacks. About appliances provide application visibility and application control for maximum protection and optimum network performance. Continuous global visibility of dynamic threats is the centerpiece of, and one of the key reasons for its superior ability to detect both known and unknown threats. Its multi-layer security measures block viruses, worms, Trojans, intrusion attempts, spam and phishing tactics, cross-site scripting, SQL injections, denial of service (DoS and DDoS), and attacks hiding in encrypted protocols. kills the evasive blended attacks that other security products can t see. Control Center (CommandCenter ) provides simplified central management of any number of firewalls across multiple enterprises. McAfee Firewall Reporter provides powerful, easy-to-use security event analysis and reporting. McAfee Firewall Profiler provides business context around firewall rulesets, turning hours and days of troubleshooting into a matter of clicks. For more information about, please visit our website at: About McAfee McAfee, Inc., headquartered in Santa Clara, California, is the world s largest dedicated security technology company. McAfee is relentlessly committed to tackling the world s toughest security challenges. The company delivers proactive and proven solutions and services that help secure systems and networks around the world, allowing users to safely connect to the Internet, browse and shop the web more securely. Backed by an award-winning research team, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee, Inc Freedom Circle Santa Clara, CA McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2010 McAfee, Inc. 9066wp_nts_firewall-ent-reduce-risk_0310_ETMG