Add Your Logo here Do not use master Automating Security Response based on Internet Reputation IP and DNS Reputation for the IPS Platform Anthony Supinski Senior Systems Engineer www.h3cnetworks.com www.3com.com www.tippingpoint.com
Agenda - Reputation Services A Valuable Component in Network Protection The 3Com Introduction to Reputation concept Real world threats that could be controlled by Reputation Building a Reputation Service Collecting Reputation data Automating the delivery of Reputation data Benefits of a Reputation Service
The New 3Com: An Enterprise Networking Powerhouse Laser Focus on Enterprise Networking Financially Strong One Company, Three Brands #2 in global enterprise switches (ports) and routers (units) market share #1 market share in China Securing over 30% of the Fortune 1000 Profitable Generating cash from operations $666 Million in cash as of Q1 FY10 Large enterprise Mid-market and small enterprises Best of breed security
Focusing Your Security Resources with IP and DNS Reputation Services Known Good Traffic Unknown Traffic (security focus should be here) Inspect Trust Trust Block Known Bad Traffic (based on reputation)
Real World Threats - Botnet Command and Control Command and control (CnC) server used by Botnet master for Botnet remote control Normal traffic for communication IRC, P2P, HTTP (IM, Twitter) Dynamic selection of CnC servers Constantly moving Use both DNS and IP addresses for CnC locations Botnet Master Bots CnC Servers DNS Server April 1, 2010 5
Real World Threats - Malware Depot Malware Depots attempt to infect visiting clients Huge number of sites Two types of malware depots Used as drop sites for botnets, and hosting malware updates Botnet drop sites can also be very dynamic in nature Key lookup is often the DNS name April 1, 2010 6
Real World Threats - Phishing Sites Phishing sites attempt to gather personal or proprietary data for malicious use Large number of sites hosting phishing scams Two types of phishing sites Often redirects from compromised sites Dynamic IP addressing requires support for DNS 341 Hijacked Brands Anti-Phishing Working Group, Phishing Activity Trends Report, 3rd Quarter / 2009
Building a Strong Reputation Service 1. Worldwide Community of Sensors Collect real-time attack events Detailed attack data for analysis / correlation 2. Web Traffic Analysis and Crawling Inspection of Web traffic to detect sites of interest Conduct Web crawling and analysis 3. Careful Malware Analysis Identify Botnet CnC sites Identify Malware drop sites April 1, 2010 4. Attack / Scam Analysis Collect attacks/ scams over various apps Analysis to yield participating hosts Security Research Collect large dataset Correlate datasets Validate results Provide frequent updates Prioritize entries - reputation score Reputation Database IPv4 Addresses IPv6 Addresses DNS Names Reputation metadata
Reputation Services Automated Delivery and Enforcement Reputation Database IPv4 & IPv6 Address DNS Name Rep info / metadata tags Malicious Web Servers Access Switch Enforcement Point Internet Set Policy Based Upon Rep Score Country Type - Botnet CnC, etc. Data source Infected hosts Botnet CnC Requests Requests to to Bad Bad DNS DNS Domains Domains Blocked Blocked Traffic Traffic from from Bad Bad IP IP Addresses Addresses Blocked Blocked
Reputation Services A Smart Way to Focus Your Security Resources First line perimeter protection by blocking known bad traffic. Botnets, Botnet Comand and Control Malware, spyware, worms Spam, phishing emails DDoS Web application attacks Preserves limited security resources BENEFITS By easily blocking difficult to detect bad traffic (those blackhats are sneaky!) By lowering the overhead on other security devices (firewalls, NIPS, etc.)
Come see us at Booth # 209.
Thank You Anthony Supinski Senior Systems Engineer www.h3cnetworks.com www.3com.com www.tippingpoint.com