Post on 30-Jan-2018
transcript
CyberoamWhite paper
Cyberoam’s Layer 8 Technology
Protecting the weakest link in
your security chain – the USER!
www.cyberoam.com I sales@cyberoam.com
Cyberoam's exclusive Layer 8 technology which treats user identity as the 8th Layer or the human layer in the network protocol stack, enabling organizations to overcome the limitations of conventional UTMs/firewalls which bind security to IP addresses alone. By implementing Layer 8 security in their networks, administrators can gain real-time visibility into the online activity of users while creating security policies based on their usernames.
Introduction
Imagine an Internet without the facility of domain name servers (DNS) - would you rather keep count of the thousands of machine-readable, numeric IP addresses (192.168.8.1, etc.), or simply recall your favorite domain name: yahoo.com, facebook.com, etc?
Now, think about the frustrations of a typical network administrator whose duties include reviewing logs generated by the web and mail activity of several hundred users, retrieving each and every computer name by its unique IP address and managing multiple user accounts.
The problem is further compounded by a shared, and dynamically-changing computing environment where administrators have to regularly update Internet access privileges for changing user scenarios: new joinees, leavers, employees in new roles. Furthermore, in dynamic DHCP and Wi-Fi environments, users can often cover their tracks by hiding behind the common IP address or machine to visit inappropriate websites, videos, infected files and more. In the absence of user-centric logs and reports, it is impossible to keep track on which user opened a specific website or application at a particular time.
It may get worse due to the rise of insider threats at the database level. Data demands of various users, poor access controls and excess permissions leave systems vulnerable to malicious internal users, especially the ones with technical knowledge of the database systems. Without being traced, they can exploit scripts, programs, toolkits, IP spoofing or unauthorized backdoor accounts, which can lead to full-blown database disclosures.
The User: the Weakest Security Link in an
Organization
As per the traditional perimeter model of security, organizations would be
more concerned about outside-in threats where firewalls, IDP etc. detect
common phishing frauds, hackers and more. Currently, following such an
approach neglects the most critical and weak security component: the
human element. In an inside-out threat scenario, human users, either out
of sheer ignorance or malicious intent, can become the weakest link in the
security chain. As mentioned previously, shared computing environments
such as the multiple user-per machine setting are conducive for viruses,
Trojans, worms etc. to propagate unchecked in the networks. They also
encourage users to freely surf prohibited sites e.g. pornography, proxies
etc. by hiding behind the IP address or someone else's machine.
Many security architects would admit that their networks often resemble
what is known as "Coconut security": hard on the outside, soft in the
inside. All the protection and security resources are directed towards the
perimeter, trying to keep the bad guy disarmed. However, the soft inside is
what the attackers are really after and the security solution is ultimately
about getting to the crux of it all i.e. knowing the insider threat source for
instantaneous action against security breaches.
For instance, many employees use instant messengers, webmail
attachments and social networking sites without authorization which can
create avenues for malware and data leakage. In another scenario, heavy
downloading and online gaming by some users can take its toll on network
performance as these are bandwidth-eating applications. Sometimes,
even a single user can bring the entire network to a crawl as it gets flooded
with unnecessary traffic.
The problem gets more serious with malicious insiders. For instance, if a
competitor had to gather information about an organization's trade
secrets, what would be easier - employing the services of a hacker, or
simply targeting an internal employee with access to the organization's
confidential information?
A study by Ponemon Institute found that 59% of employees who either
quit or are asked to leave take confidential or sensitive business
information upon their departure. There are many reasons such users like
to hurt the company; it could be a feeling of resentment due to an
overlooked promotion or salary raise, or just the desire to use existing
knowledge gained in the company with a new employer.
www.cyberoam.com I sales@cyberoam.com
In August 2009, DuPont filed a lawsuit against
a research scientist for breach of contract and
misappropriation of trade secrets for stealing
a large number of files. Earlier, another
DuPont research scientist was sentenced to
prison for 18 months.
An ex-employee casually sends a chat
message on Yahoo messenger, a standard
mode of communication in an organization,
asking ex-colleagues to look into his new
photos hosted on an unknown URL. The
unsuspecting ex-colleagues click on the link
which prompts them to enter their Yahoo
log-in IDs and passwords. Unknown to them,
the log-in information is now captured by
the ex-employee. In this way, he has a good
repository of corporate passwords. The
attacker now has the ability to log on into
Yahoo! anytime, under the disguise of his
former colleagues, misguide customers and
put the organization at risk.
Some of these attackers use social engineering tactics, where they use persuasion skills on the target victims to create gaping security holes in the network.
Cyberoam Layer 8 (Human Layer) technology;
Security built around the User's Identity
Most organizations have learned to live with the fact that user online
behavior is always unpredictable and there's nothing much that can be
done no matter how strict the Internet access policies are made. This
limitation can be attributed to existing firewalls/UTMs which are based on
the association of the source IP address and the destination IP address with
no visibility into source of attacks the user. They are unable to apply user-
specific rules to allow multiple machines to share a single IP address.
According to these systems, the user's identity is not part of the rule
matching criteria considered by the firewall.
Accordingly, Cyberoam's Layer 8 concept was derived out of the need for a
more robust network security system capable of considering a user's
identity as part of the firewall rule matching criteria. It treats user-identity
as the 8th Layer or the HUMAN layer in the network protocol stack (see
below figure), thus, attaching user identity to security while
authenticating, authorizing and auditing the network. This takes
organizations a step ahead of conventional security appliances which bind
security to IP-addresses.
www.cyberoam.com I sales@cyberoam.com
Using Layer 8, the administrator is able to create a permanent profile for
the user which makes all future authentication possible based on identity-
based decision parameters such as username, IP address, MAC address
and session ID. The profile is specific to the user and does not ever change
no matter what machine he/she operates from in the organization.
Once authenticated, the user may be authorized by the administrator
users to gain access to the Internet based on various usage parameters
including access time, Internet quota, security policies, web filtering,
Application controls, bandwidth restrictions and instant messenger
controls. Finally, audit logs and reports including identity information
related to the authorized user are created and stored in the system.
User Identity-based Security Policy Controls
Cyberoam network security appliances (UTM, Next Generation Firewalls) offer security across Layer 2-Layer 8 using Identity-based policies
Cyberoam's Layer 8 Technology treats “User Identity” as the 8th Layer in the protocol stack
Application
Presentation
Session
Transport
Network
Data Link
Physical
USER
L7
L8
L6
L5
L4
L3
L2
L1
00-17-BB-8C-E3-E7
192.168.1.1
TCP, UDP
L2TP, PPTP
ASCII, EBCDIC, ICA
“Cyberoam's Layer 8 security system treats user-identity as the 8th Layer or the HUMAN layer in the network protocol stack, thus, attaching user identity to security. This takes organizations a step ahead of conventional security appliances which bind security to IP-addresses.”
www.cyberoam.com I sales@cyberoam.com
Practical implications of Layer 8
Implementing Layer 8 in their networks enable organizations to align their
security decisions based on the actual human identities of users instead of
IP addresses alone. This translates into a proactive security approach
(instead of a reactive one) where security administrators are able to plan
ahead, think through what security issues may come up in the future, and
successfully make front end efforts to prevent surprise insider attacks. In
view of that, a Layer 8-enabled organization is more capable of foreseeing
what it coming down the road, and where the attackers are coming from.
Measuring User Threat Quotient (UTQ): In an era of fluidity of network
perimeters where employees, customers and partners require access to
different levels of sensitive business information, administrators feel the
constant need to review the changing threat scenario posed by various
users. This is done by measuring their user threat quotient (UTQ). In
making the administrator task easy, Layer 8 involves identity-based
heuristics.
Once, the required information is gathered, administrators can calculate
the UTQ by rating various users based on various parameters. For example,
the susceptibility of users to attacks may be ascertained by their employee
status whenever there's a new joinee or a terminated/expelled employee,
the threat incidence will become more pronounced because
administrators notice deviations from normal acceptable user behavior.
Administrators would also be interested in analyzing “who is doing what
and when” in the network. This would furnish details such as usage of
anonymous proxies, downloading hacking tools, accessing data off-hours,
and the total amount of data downloaded. Any malicious activity by users
would automatically raise the red flag because the administrator would
have the entire context of his/her activity repeat wrong password
attempts, intrusion/hacking attempt alerts and more. It also enables
individualized education for the end user.
Adding speed to security: Organizations often go to great lengths in
securing their physical infrastructure. They may store highly sensitive
information in a special computer room, lock server areas, deploy CCTV
cameras and anti-theft alarms and restrict contact access of employees to
different departments/zones of a building.
What if it were possible to build in similar levels of protection to prevent
information theft Layer 8 protects corporate data and servers from
unauthorized outside access while granularly preventing chosen internal
users from accessing LAN-residing sensitive data such as customer records,
tenders and contracts, internal files and applications and more. Since,
access control policies can be configured directly based on username
rather than through IP addresses alone, administrators can take faster
decisions on preventing unauthorized entities (outsiders, malicious
insiders etc.) from breaching past the company's perimeter. This
automatically adds speed to security.
Who is doing what?
Who is the attacker?
Who are the likely targets?
Which applications are prone to attack – who accesses them?
Who inside the organization is opening up the network? How?
www.cyberoam.com I sales@cyberoam.com
Cyberoam’s integrated security built around Layer 8:
Cyberoam has incorporated the Layer 8 security paradigm in its Next Generation Firewall (NGFW). The Layer 8 design penetrates
through each and every security module of these appliance and enables administrators to apply security, connectivity and
productivity policies on users.
User
Layer 8 Security appliance individual users
Firewall
Wireless WLAN Security
Cyberoam iView Logging and Reporting
Intrusion Prevention System
! Embed user identity in rule-matching criteria! Role-based administration ! Granular IM, P2P & Applications control! Prevent IP spoofing attacks! VLAN support: work & profile-based groups
! Identity-based IPS policies for users and groups
! Identity-based alerts and reports! Prevent user-targeted blended threats,
backdoors etc
! Segmented network for employees and guests
! No common pre-shared keys: prevent information theft
! Layer 8 authentication and identity-based reports
! Intrusion events and policy violations! Identity-based reporting: “who is doing what”! Web surfing trends and search reports! Top unproductive sites and users! Virus and intrusions reporting
Bandwidth Management! Committed bandwidth for regular users! Traffic routing based on user needs for
assured QoS! Establish priorities based on users,
categories, applications! Time-based bandwidth allocation for
users
Application Layer 7 Visibility and Controls! Visibility and controls on applications'
usage by users! Organization-wide application access
policies for individual users!User hierarchy-based applications access
control
Instant Messenger controls! Prevent employees from idle chat! Block file transfers, webcams, video! Restrict who can chat with whom! IM audit logs to study user behavior ! Keyword-based content filtering on chat window
Content Filtering! Policies on users, groups, departments,
hierarchy! Block users from malware-laden sites! Blocking IM, P2P applications & proxies! Know “who is surfing what”
The Cyberoam identity-based firewall offers an interface for
achieving unified security allowing rules for all features to be
configured and managed from the firewall page with complete
ease. Layer 8 binds the security features to create a single,
consolidated security unit and enabling the administrator to
change security policies dynamically while accounting for user
movement joiner, leaver, rise in hierarchy etc.
Through the Cyberoam Intrusion Prevention System, Layer 8
identity-based policies can be applied for users as well as user
groups. Identity-based alerts and reports are generated
everytime DoS/DDoS attacks, malicious code transmission,
backdoor activity, blended threats occur due to user activities.
Cyberoam's identity-based reporting module, Cyberoam iView,
pinpoints precise network activity for each and every user. The
iView dashboard shows all network attacks on a single screen
with third level drill-down reports (1000+ reports) for
investigating the attacks, and the users behind them.
Cyberoam's identity-based content-filtering feature
streamlines the management of corporate Internet access by
monitors Internet traffic generated by each user, the time one
spends on Internet resources and allows setting access
limitations based on time and day of the week. In addition,
Cyberoam network security appliances offer a user, time and
role-based bandwidth management approach which ensures
users consuming huge amounts of bandwidth for non-
productive work are prevented at the time of policy-making.
Cyberoam Instant Messaging Controls with Layer 8 identity-
based approach keeps productivity under check by allowing
administrators to control who can chat with whom over all
communication mediums like text chat, webcam, file transfer.
Layer 8 across Cyberoam’s entire Security Portfolio
Wireless WLAN security : Cyberoam network security
appliances offers high performance, Layer 8-based security over
WLAN networks in order to secure wireless networks to the
same extent as wired networks. Cyberoam offers strong user
authentication, Internet access controls and reports with
identity-based approach and offers separate Guest and
Employee Network Access. With this, it has the ability to trace
user specific activities while reducing the risk of information
theft and liability of cyber terrorism attacks.
Meeting regulatory compliance norms : Given the magnitude
of threats to employee, customer, and corporate data,
compliance regulations such as HIPAA, GLBA, SOX, PCI DSS, and
more are forcing organizations to undertake security measures
that control the access and activity of users. Faced with
penalties in the case of non-compliance with regulations and
loss of reputation in the case of data loss, organizations are
under growing pressure to implement compliance measures
within their network premises.
Cyberoam Product Portfolio
Virtual Security Appliances Cyberoam Central Console (CCC) CR iView (Logging & Reporting)CR NG series NGFWsCR NG series UTMs
www.cyberoam.com I sales@cyberoam.com
Toll Free Numbers
USA : +1-877-777-0368 | India : 1-800-301-00013
APAC/MEA : +1-877-777-0368 | Europe : +44-808-120-3958
Cyberoam Awards & Certifications
C o p y r i g h t © 1999-2014 Cyberoam Te c h n o l o g i e s Pvt. L t d. A l l R i g h t s R e s e r v e d . Cyberoam &
Cyberoam logo are registered trademarks of Cyberoam Technologies Pvt. Ltd. Ltd. ®/TM: Registered trade
marks of Cyberoam Technologies Pvt. Ltd. Technologies or of the owners of the Respective
Products/Technologies.
Although Cyberoam attempted to provide accurate information, Cyberoam assumes no responsibility for
accuracy or completeness of information neither is this a legally binding representation. Cyberoam has the right to
change, modify, transfer or otherwise revise the publication without notice.
www.check-mark.com
CERTIFIED
VPNC
InteropBasic
AES
Interop
CERTIFIED
VPNC
SSL Advanced Network Extension
SSL Basic Network Extension
SSL JavaScript
SSLFirefox
SSLExchange
SSLPortal
PROPCRECOMMENDED
RECOMMENDS
BEST BUY
EDITOR’S C H O I C E
www.itpro.co.uk