Man kann nur schützen was man sieht - oder Zentrales Entschlüsseln von SSL/TLS Verkehr Rethinking Security

Size: px

Start display at page:

Download "Man kann nur schützen was man sieht - oder Zentrales Entschlüsseln von SSL/TLS Verkehr Rethinking Security"

Stephanie Roberts
5 years ago
Views:

1 Man kann nur schützen was man sieht - oder Zentrales Entschlüsseln von SSL/TLS Verkehr Rethinking Security Stepan Svihla Sr. Sales Engineer Central & Eastern Europe

2 Corporate Overview THE ESSENTIAL ELEMENT OF YOUR SECURITY Gigamon is leading the convergence of networking and security. Our next generation network packet broker helps make threats more visible, deploy resources faster and maximize performance. HQ FOUNDED EMPLOYING SERVING NAMED Santa Clara California, USA employees Over 2,800 customers Market leader GLOBAL OFFICES CEO PATENTS VERTICALS 20 Countries *Feb 2018: Offices, employee and patent information **Q1 2018: Customer count Paul Hooper 51 Global patents issued Public Sector Financial Services Healthcare Retail Technology Service Providers 2018 Gigamon. All rights reserved. 2

3 Trusted by the World s Leading Organizations Gigamon Customers 7 of the top ten Global Banks 8 of the top ten largest Tech Companies 8 of the top ten Healthcare Providers 83 of the Fortune of the top ten U.S. Federal Agencies 8 of the top ten Mobile Phone Network Operators Customer data from April List sources available upon request Gigamon. All rights reserved. 3

6 The Data-in-Motion Dilemma Volume + Speed + Threats = Complexity + Risk + Cost Network Data Security tools do not scale as fast as data Volume Emergence of Big Data Data Center transition to 100Gb Internet of Things Machine to Machine 6.7ns available to process a network packet on a 100Gb link 6.8ZB of global data center traffic in 2016* 1.7PB of M2M traffic in 2017** Security Tool Time * Cisco Global Cloud Index: Forecast and Methodology, White Paper. Cisco. Feb ** Statista Global machine-to-machine (M2M) data traffic from 2014 to 2019 (in petabytes per month) 2018 Gigamon. All rights reserved. 6

7 Today s Limitations Data Overload Yet Limited Visibility Irrelevant traffic Irrelevant traffic Irrelevant traffic SIEM APM / NPM IPS/APT/WAF LIMITED VISIBILITY LIMITED VISIBILITY LIMITED VISIBILITY DATA Physical, Virtual and Cloud Infrastructure 2018 Gigamon. All rights reserved. 7

8 New Levels of Security and Performance increased performance increased performance increased performance 141 Only relevant traffic 141 Only relevant traffic 141 Only relevant traffic IPS/APT/WAF SIEM APM / NPM 1 2 GigaSECURE SECURITY DELIVERY PLATFORM 3 Hell o Hel lo FULL VISIBILITY Hell o DATA He llo Physical, Virtual and Cloud Infrastructure He llo Hell o 2018 Gigamon. All rights reserved. 8

10 Security Delivery Platform Explained Remote sites Internet Public cloud WAF ATP IPS SIEM DLP Forensics Firewall Routers SECURITY DELIVERY PLATFORM Spine switches Leaf switches Virtualized server farm Reach physical, virtual and cloud Metadata for improved forensics Targeted inspection Detection of encrypted threats Inline mode for visibility and control 2018 Gigamon. All rights reserved. 10

GigaSECURE Security Delivery Platform Remote sites Internet Public cloud 23 1 14 15 13 11 12 10 89 7 56 4 17 18 16 WAF ATP IPS SIEM DLP Forensics Firewall API Routers GIGASECURE SECURITY SECURITY

11 GigaSECURE Security Delivery Platform Remote sites Internet Public cloud WAF ATP IPS SIEM DLP Forensics Firewall API Routers GIGASECURE SECURITY SECURITY DELIVERY DELIVERY PLATFORM PLATFORM Spine switches Leaf switches Virtualized server farm Reach Physical, physical, virtual Virtual and cloud and Cloud Metadata for improved Engine forensics Application Targeted Session inspection Filtering Detection SSL of encrypted Decryption threats Inline Inline mode for visibility Bypass and control 2018 Gigamon. All rights reserved. 11

12 Gigamon Data-in-Motion Visibility Platform Tools & Applications S ecurity E xperience M anagem ent P erform ance M onitoring A nalytics Tools and A pplications A PI Orchestration GigaVUE-FM API NSX Manager vcenter Traffic Intelligence Adaptive Packet Filtering Application Session Filtering De-duplication FlowVUE GTP Correlation Header Stripping Masking NetFlow and Metadata Generation Slicing SSL Decryption Tunneling Flow Mapping Clustering Inline Bypass GigaStream Visibility Nodes Intelligent Visibility Public Cloud Virtual Traffic Aggregators Network TAPs Any Network Data Center, Hybrid and Private Cloud Public Cloud Service Provider Networks Remote Sites 2018 Gigamon. All rights reserved. 12

13 RDY POWER TAP1 TAP2 TAP3 TAP4 ON/OF F USB RDY PWR FAN PTP PPS M/S Stack/PTP Mgnt / Con G1 / G2 G3 / G4 X1/X2 X3/X4 X5/X6 X7/X8 X9/X10 X11/X12 RDY POWER A1 B1 M1 A2 B2 M2 X1/X2 X3/X4 H/S The Core Product : Deployment Options Small Deployments Typical Data Center Deployments Large Data Center and Service Provider Deployments GigaVUE-HC1 10 / 100 / 1000Mb Copper 1 / 10Gb Fiber GigaVUE-HC2 10 / 100 / 1000Mb Copper 1 / 10Gb Fiber 40Gb & 100Gb Fiber GigaVUE-HC3 10Gb using breakouts* 40Gb Fiber 100Gb Fiber 2018 Gigamon. All rights reserved. 13

GigaVUE TA Series Features PORT EXPANSION Half-RU 16 x 10Gb patch panel option for 40Gb ports 12 x 10Gb Patch panel module for 16 M x 10Gb Series Patch

14 GigaVUE TA Series Features PORT EXPANSION Half-RU 16 x 10Gb patch panel option for 40Gb ports 12 x 10Gb Patch panel module for 16 M x 10Gb Series Patch Panel GigaVUE-TA10 G-TAP M Series PNL-M341 Patch Panel G-TAP M Series PNL-M343 Patch Panel GigaVUE-TA40 GigaVUE-TA Gigamon. All rights reserved. 14

15 Use Cases

16 Eliminate SPAN Port Contention Few Span Ports, Many Tools Without Gigamon With Gigamon Switch with two SPAN session limitation Intrusion Detection System (IDS) Application Performance Management VoIP Analyzer Packet Capture Switch with two SPAN ports Intrusion Detection System (IDS) Application Performance Management VoIP Analyzer Packet Capture Customer is unable to use all tools! Customer has complete visibility for all tools! 2018 Gigamon. All rights reserved. 16

17 Limited Access to Environment Limited Tool Ports, Many Switches Without Gigamon With Gigamon Switch 1 Switch 1 Switch 2 Switch 2 Switch 3 Switch 3 Analysis tool with only 2 NICs Switch 4 Analysis tool with only 2 NICs Switch 4 Switch 5 n Switch 5 n Limited Connectivity to Full Environment Pervasive Access Can Connect to All Points in the Environment 2018 Gigamon. All rights reserved. 17

18 Run Multiple POCs in Parallel Accelerate Certification Of New Tools Without Gigamon With Gigamon POC #1 Vendor X Tool POC #2 Vendor Y Tool POC #3 Vendor Z Tool POC #1 Vendor X Tool Tool tested w/ NW Segment 4 weeks Tool tested w/ same NW Segment 4 weeks Tool tested w/ same NW Segment 4 weeks POC #2 Vendor Y Tool POC #3 Vendor Z Tool 1 month 2 month 3 month Customer performs each Proof-of-Concept (POC) serially at different times using different data 1 month 2 month 3 month Customer is able to run multiple POCs concurrently using same data 2018 Gigamon. All rights reserved. 18

Change Media and Speed 10, 40 Or 100Gbps Traffic To 1Gbps or 10Gbps Tools Without Gigamon Intrusion Detection System (IDS) With Gigamon GigaVUE Matches Your Network to Your Tools 10Gb 1Gb Application

19 Change Media and Speed 10, 40 Or 100Gbps Traffic To 1Gbps or 10Gbps Tools Without Gigamon Intrusion Detection System (IDS) With Gigamon GigaVUE Matches Your Network to Your Tools 10Gb 1Gb Application Performance Management VoIP Analyzer Packet Capture Intrusion Detection System Application Performance Management VoIP Monitor Packet Capture Customer migrates to a 10Gb network and 1Gb monitoring tools become useless Customer able to extend the life of their 1Gb network and security tools 2018 Gigamon. All rights reserved. 19

20 The Core Product: Inline Bypass Overview SCALING INLINE SECURITY TOOLS E.g. WAN router E.g. Firewall IPS IPS WAF Scalability Maximize tool efficiency Increase scale of security inspection tools Integrate inline, out-of-band, flow-based tools and metadata E.g. IPS E.g. WAF E.g. AT P E.g. Core switch ATP ATP ATP Operational Agility Add, remove, and upgrade tools seamlessly Migrate tools from detection to prevention modes (and vice-versa) Consolidate multiple points of failure into a single, bypass-protected solution *IPS: Intrusion Prevention System WAF: Web Application Firewall ATP: Advanced Threat Prevention 2018 Gigamon. All rights reserved. 20

Example Use Case for GigaVUE-HC2 Intrusion Prevention Systems Internet NetFlow Collector Intrusion Detection System Edge Routers NetFlow

21 Example Use Case for GigaVUE-HC2 Intrusion Prevention Systems Internet NetFlow Collector Intrusion Detection System Edge Routers NetFlow Generation SSL Decryption GigaStream Inspection Data Loss Prevention Core Switches Out-of-Band Malware 2018 Gigamon. All rights reserved. 21

22 Gigamon Inline SSL Visibility Solution SSL Session Leg 2 (encrypted) Inline Tool Group (decrypted traffic) 3 1 SSL Session Leg 1 (encrypted) 2 Web Monitor Tool (decrypted traffic) Highlights Servers and clients located internally or externally Private keys not needed RSA, DH, PFS can be used Supports inline and out-of-band tools 2 Out-of-Band Tool (decrypted traffic) Encrypted traffic Decrypted traffic Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change Gigamon. All rights reserved. 22

23 Gigamon SSL Decryption Key Benefits Automatic SSL / TLS detection on any port or application Scalable interface support (1Gb 100Gb) Decrypt once. Feed many tools Strong crypto support: PFS, DHE, Elliptic Curve ciphers Certificate validation and revocation lists: strengthens organizations security posture Strong privacy compliance: categorize URL before decryption 2018 Gigamon. All rights reserved. 23

24 Respecting Data Privacy: URL Categorization File sharing Website (e.g. Dropbox) Internet Webroot Banking Website (e.g. Citi) Health care Website (e.g. Aetna) Inline tool (decrypted traffic) Supports up to 83 Web categories (Finance, Government ) Flexible policies based on multiple parameters (IP, Ports, VLAN, domain, categories) Whitelists and blacklists with over 5000 domain names 2018 Gigamon. All rights reserved. 24

NetFlow/IPFIX Generation Without Gigamon With Gigamon Challenges: High impact on routers and switches for generating NetFlow records Routers / switches generate sampled

network for Deep Packet Inspection (DPI) Generating NetFlow Information: With NetFlow, you know where you need to DPI.

25 NetFlow/IPFIX Generation Without Gigamon With Gigamon Challenges: High impact on routers and switches for generating NetFlow records Routers / switches generate sampled NetFlow which is inadequate for security Some routers do not support NetFlow, others have proprietary flow methods Without NetFlow, you can only instrument parts of your network for Deep Packet Inspection (DPI) Generating NetFlow Information: With NetFlow, you know where you need to DPI. Enable end-to-end security enforcement with visibility into every flow Ideal to detect Command and Control communications Validated with I ndustry-leading SIEM and NetFlow forensics collectors 2018 Gigamon. All rights reserved. 25

26 NetFlow Usage Network Monitoring Security Application Monitoring Network and capacity planning User/group monitoring and trending Troubleshooting network capacity problems Validation of QoS / ToS parameters Anomalous network behavior detection Attack discovery and mitigation Identification of compromised hosts Application discovery Application performance and impact monitoring Cloud performance monitoring Accounting Billing & Charge back 2018 Gigamon. All rights reserved. 26

27 NetFlow Generation Application Standards-based Flow Summarization & Analytics Flow Metadata Unsampled (1:1) NetFlow / IPFIX generation to detect low-and-slow attacks Filter records based on configurable parameters to predetermined tools Offload NetFlow/IPFIX generation from overloaded network infrastructure SIEM and NetFlow Forensics Integration Enable end-to-end security enforcement with visibility into every flow Ideal to detect Command and Control communications Validated with industry-leading SIEM and NetFlow forensics collectors Advanced Information Elements Optionally export URL info into custom elements in generated records Export records to up to six collectors supporting NetFlow v5 / v9 and IPFIX Leverage LLDP / CDP information to pinpoint network source 2018 Gigamon. All rights reserved. 27

Engine Benefits: High Performance Cost Savings Full

28 Metadata Engine Without Gigamon With Gigamon Volume, types and amount of data overwhelm SIEMs Metadata Engine Benefits: High Performance Cost Savings Full visibility, better security 2018 Gigamon. All rights reserved. 28

29 Metadata Extensions - URL and Response Codes URL & HTTP RESPONSE CODES Identify suspicious communication to malicious servers Uncover Denial of Service & compromise of internal web servers Key Benefits Export URL collection from HTTP & SIP messages Detect possible server compromise with Redirects Detect potential DoS attacks if server unavailable Baseline normal activity and detect anomalies EXTRACTED FIELDS All Response codes including: 100 Continue 101 Switching Protocols 200 OK 201 Created 202 Accepted 203 Non-Authoritative Information (since HTTP/1.1) 204 No Content 301 Moved Permanently 302 Found 400 Bad Request 401 Unauthorized 402 Payment Required 403 Forbidden 404 Not Found 406 Not Acceptable 409 Conflict 2018 Gigamon. All rights reserved. 29

30 Metadata Extensions - DNS DNS EXTRACTED FIELDS C&C Bots DNS Discover malicious communications to C&C servers using DNS transactions dnsidentifier dnsopcode dnsresponsecode dnsqueryname dnsresponsename dnsresponsettl dnsresponseipv4addr dnsresponseipv6addr dnsdatalen Key Benefits Uncover domain lookups for malicious C2 servers Identify endpoints beaconing to C2 servers Identify suspicious DNS servers with low TTLs Identify rogue DNS servers in the network 2018 Gigamon. All rights reserved. 30

Metadata Extensions - Certificate Anomalies HTTPS CERTIFICATES Analyze HTTPS certificates for bad or suspicious certificates EXTRACTED FIELDS sslcertificatesubject sslcertificatevalidnotbefore

31 Metadata Extensions - Certificate Anomalies HTTPS CERTIFICATES Analyze HTTPS certificates for bad or suspicious certificates EXTRACTED FIELDS sslcertificatesubject sslcertificatevalidnotbefore sslcertificatevalidnotafter sslcetificateserialnumber sslcertificatesignaturealgorithm sslcertificatesubjectpubalgorithm sslcertificatesubjectpubkeysize sslcertificatesubjectaltname sslservernameindication Key Benefits Identify expired certificates in network Identify self signed certificates in network Identify certificates using weak cipher algorithms Identify anomalies and mismatches in certificate fields 2018 Gigamon. All rights reserved. 31

32 VMware ESX and NSX Visibility into virtualized Data Ceneter and the Private Cloud

33 Network Traffic Visibility For Cross Network Workloads Challenges VM VM VM VM VM VM SERVER SERVER VIRTUALIZE Hypervisor Hypervisor HOST HOST Switch Switch TRADITIONAL VISIBILITY SPAN on Switch Ports Physical TAPs VIRTUAL VISIBILITY CHALLENGES Blind spots for Inter-Host VM traffic Blind spots for Intra-Host VM traffic (blade center) Security and Application Monitoring are forcing considerations!!! 2018 Gigamon. All rights reserved. 33

34 Virtual Visibility: More Important Than Ever 5 REASONS WHY YOU MUST CARE 1. Security no longer an after-thought during virtualization 2. Increasing VM density with mission-critical workloads 3. Visibility into VM-VM traffic needed for Security and Application Performance Monitoring (APM) 4. Creating new virtual instances of tools affects workload performance 5. Automated visibility after VM migration GigaVUE-VM IDS VIRTUAL IDS VM1 VIRTUAL ANTI- MALWARE VIRTUAL APM VM VIRTUAL SWITCH HYPERVISOR HOST VIRTUAL SWITCH HYPERVISOR HOST ANTI-MALWARE APM 2018 Gigamon. All rights reserved. 34

35 SSL decryption: East- West- Traffic Decryption of East-West-Traffic within vmware Complete Visibility Architecture tweaking GigaVUE-VM GigaVUE-VM IDS HYPERVISOR HYPERVISOR ANTI-MALWARE HOST HOST APM 2018 Gigamon. All rights reserved. 35

GigaVUE-VM Light Footprint Virtual Machine, Not

GigaVUE-VM: Virtual Workload Monitoring Enhanced for Software Defined

GigaVUE-VM onboarding Virtual traffic policy creation Internet

migration of monitoring policies Application Performance Network

37 GigaVUE-VM: Virtual Workload Monitoring Enhanced for Software Defined Data Centers (SDDC) Virtual Traffic Policies vcenter integration Bulk GigaVUE-VM onboarding Virtual traffic policy creation Internet Tunneling SERVER I SERVER II Private Cloud GigaVUE-FM Automatic migration of monitoring policies Application Performance Network Management Security Production Network Tools and Analytics 2018 Gigamon. All rights reserved. 37

38 Key Benefits Securing Virtual Traffic in the Software Defined Data Center Visibility into inter-host or intra-host virtual traffic Pervasive Visibility Virtual + Physical Automated Visibility into virtual traffic with dynamic service insertion Help preserve investment of your security and monitoring infrastructure 2018 Gigamon. All rights reserved. 38

39 Amazon Web Services Visibility into Public Cloud

Visibility Hot Spots in a Sample Web Application East-West Hot

41 Public Cloud Visibility Challenges and Gigamon Solution AWS AWS Region Region VPC ELB VPC ELB Web Tier ELB Tool Tier Gigamon Visibility Platform Web Tier ELB Visibility Tool Tier Tier GigaVUE-FM App Tier App Tier RDS RDS Tool Tier AZ AZ Inability to access all traffic Discreet vendor monitoring agents per instance Impacts workload and VPC performance Increases complexity Static visibility with heavy disruption Consistent way to access network traffic Distribute traffic to multiple tools Customize traffic to specific tools Elastic Visibility as workloads scale-out Elastic Load Balancing (ELB) Subnet Instances Tool Amazon Relational Database Service (RDS) Availability Zone (AZ) 2018 Gigamon. All rights reserved. 41

42 Deployment Examples: Hybrid Cloud Visibility Preserve Tool Investment AWS Region On-premise Data Center VPC ELB Web Tier 3 Visibility Tool Tier Tier Amazon EC2 APIs Amazon CloudWatch 1 2 GigaVUE-FM 1 2 Integrate with Amazon APIs Deploy Visibility Tier ELB App Tier RDS 3 Tool Tier 4 4 Tunneling Tool Tier 3 4 Copy EC2 instance traffic Aggregate and distribute customized traffic to tools AZ Elastic Load Balancing (ELB) Subnet Instances Tool Amazon Relational Database Service (RDS) Availability Zone (AZ) VPN Gateway VPN Connection Router Data Center 2018 Gigamon. All rights reserved. 42

44 Multi-Cloud Deployments

45 Multi-cloud: Centralized Visibility and Security PRESERVE TOOL INVESTMENT Applications SecOps VPC Applications Web tier Visibility tier Tool tier Visibility tier Web tier Web tier Visibility tier GigaVUE-FM App tier Amazon CloudWatch Azure API Management AWS Direct Connect Azure ExpressRoute On-Premises Data Center Security, Performance Management, and Analytics Tools 2018 Gigamon. All rights reserved. 45

46 Multi-cloud: Hybrid Cloud Visibility PRESERVE TOOL INVESTMENT Elastic Load Balancing Web tier Visibility tier Amazon CloudWatch On-Premises Data Center GigaVUE-FM Azure API Management Visibility tier Azure Load Balancing Web tier Elastic Load Balancing Azure Load Balancing App tier Amazon RDS Tool tier Tunneling Tool Tier Tunneling Tool tier App tier Azure SQL Database Availability Zone Region Virtual Network 2018 Gigamon. All rights reserved. 46

The Gigamon Visibility Platform

The Gigamon Visibility Platform See what matters. Andrea Baraldi - Sales Engineer Marco Romagnoli Sales Director 1 Safe Harbor Statement Any forward-looking indication of plans for products is preliminary