Post on 04-May-2018
transcript
Unified ThreatManagement
Joel M SnyderSenior Partner
Opus Onejms@opus1.com
2
Agenda: Unified Threat Management
What is it? UTM Features and where you should use
them Performance and UTM Cost and UTM
3
What is UTM?Why would you want to use UTM?
4
UTM is a buzzword for…
“threatmitigation westuck in thefirewall”
“whatever newthing that wedidn’t used to dothat we do now”• For a price, usually
Physical
Data Link
Network
Transport
Session
Presentation
App
5
UTM can cover many bases
BadContent
ControlUsage
BadActivity
EnforcePolicy
Anti-Spam
Anti-Virus
Anti-Spyware
Anti-Phishing
IntrusionPrevention
DoS/DDoSMitigation
ContentFiltering
ApplicationBlocking
BandwidthManagement
RegulatoryLogging/Blocking
6
UTM has taken over the firewallindustry
Current Vendors Include: Check Point Cisco Systems FortiNet IBM/ISS Juniper/NetScreen Secure Computing SonicWALL Symantec Untangle WatchGuard ZyXel
Features Include: Firewall VPN Anti-Virus Anti-Spam Anti-Spyware Anti-Phishing Bandwidth
Management IPS/IDS Content Filtering Web Proxy
7
UTM is an alternative to the commonapproach to perimeter securityRack’em and Stack’em UTM
8
Arguments for UTM vary dependingon your environment
In the SMB space, four arguments push UTM
9
In the Enterprise Network, UTM has avery different justification
Ability to bring security services in and out of theequation quickly supports threat responserequirements best
Flexibility
A single management interface reduces thepossibility of mistakes
Management
High Availability and Scalability are dramaticallysimplified in UTM
Complexity
By intelligently routing traffic to different engines,performance of a single large box can exceedmultiple small boxes
Performance
Long-term costs for UTM will likely be lower thanindividual point solutions
Cost
NotesCriteria
10
Of course, neither strategy excludesthe other
You may want to do amix-and-match solutionbecause• You have different
management responsibilities(e.g., email versus networklayer)
• You have audit requirements(e.g., compliance versussecurity)
• You have randomrequirements that aren’t metby a single product (e.g., boxmust be blue and have aprime number of fans)
11
Which parts of UTM are best?Which ones should I use?What will it cost me?What are key tactics on UTM?
12
Not every function in a UTM firewalloffers the same level of security
Anti-SpamAnti-VirusAnti-SpywareAnti-PhishingIntrusion PreventionDoS/DDoS MitigationContent FilteringApplication BlockingLogging and AuditingRegulatory LoggingRegulatoryCompliance
Let’s run through them tomake some generalobservations.
Start with:
The UTM/no-UTMdecision is often abudget and appropriatefit one!
13
Anti-spam/Anti-phishing with UTM isnot a complete package
Anti-SpamAnti-VirusAnti-SpywareAnti-PhishingIntrusion
PreventionDoS/DDoS
MitigationContent FilteringApplication
BlockingLogging and
AuditingRegulatory
LoggingRegulatory
Compliance
Reputation-basedIP filteringPowerfulsignature/heuristic-basedanti-spamEnd UserQuarantinePer-user settingsGreater control,reporting
Blacklist IP-basedfilteringSimple DCC orcontent-basedanti-spam
Edge EmailSecurity DeviceUTM
14
Anti-Virus and Anti-Spyware are themost common UTM features
Anti-SpamAnti-VirusAnti-SpywareAnti-PhishingIntrusion
PreventionDoS/DDoS
MitigationContent FilteringApplication
BlockingLogging and
AuditingRegulatory
LoggingRegulatory
Compliance
Works great atdetecting outbound“phone home” ofmalware/spyware
Works well for knownprotocols (SMTP,IMAP, POP) as long asthe channel isn’tencrypted
Works moderately wellfor web-based traffic aslong as the channel isn’tencrypted & the port ispredictable
15
With IPS, the problem isn’t thetechnology but the interface
Anti-SpamAnti-VirusAnti-SpywareAnti-PhishingIntrusion
PreventionDoS/DDoS
MitigationContent FilteringApplication
BlockingLogging and
AuditingRegulatory
LoggingRegulatory
Compliance
Signatures and signature-based alerts don’t work.
DoS/DDoS mitigation worksbetter out of the box becausemost UTM firewalls aren’t infront of hosting farms. Asimpler interface is optimal.
16
Content Filtering and ApplicationBlocking are “sweet spots” for firewalls
Anti-SpamAnti-VirusAnti-SpywareAnti-PhishingIntrusion
PreventionDoS/DDoS
MitigationContent
FilteringApplication
BlockingLogging and
AuditingRegulatory
LoggingRegulatory
Compliance
As a choke-point, firewallsare perfectly situated toenforce policy…
… although be aware thatnot every application wants
to be enforced.
With content filtering, a 90%solution is generally acceptable.
17
Logging and Compliance require morethan a UTM firewall
Anti-SpamAnti-VirusAnti-SpywareAnti-PhishingIntrusion
PreventionDoS/DDoS
MitigationContent FilteringApplication
BlockingLogging and
AuditingRegulatory
Logging &Compliance
More firewalls;leak protectors
Personal informationintegrity
EU DataProtection
More firewalls;disk
Promoting financialstability
Basel II
More firewallsDisclosure when aprivacy breach occurs
CaliforniaSB1386
More diskSupport of auditprocess
SEC 17A-4
More firewalls;leak protectors
Health informationprivacy and control
HIPAA
More diskFinancial reportingintegrity
SOX
More firewalls;leak protectors
Protection of privatefinancial information
GLBA
How IT Helps?GoalRegime
18
Best Practices for UTM
Imperfect security isbetter than no security
Let your budgetoverride everything
IPS, IDSDon’t use technologiesyou don’t understand orwon’t manage
Anti-spam, anti-phishing
Don’t use UTM where itdoesn’t work well
Anti-virus, anti-spyware
Use UTM to backstopbetter technologies
DDoS mitigation,application control,bandwidthmanagement, contentfiltering
Use firewall + UTMwhere it fits perfectly
19
UTM Performance: Nothing is Free
20
UTM Performance: Nothing is Free
21
Performance hit is no anomaly
Goodput(mbps)
Latency(sec)
22
Goodput is not the most importantmetric for a firewall
Addedmoderatelatency
Addedlatencyand loss
Addedlatency,loss, andbandwidthcap
23
UTM has benefits, and it has costs
UTM Benefits Reduces number of
boxes you have to buy Reduces amount of un-
coordinatedmanagement
Ideally positioned(bottleneck) forInternet-facing security
Allows you toincrementally addsecurity withoutcomplexity
UTM Costs• System performance can
be dramatically affected• “Single Choice” may be
wrong choice for yournetwork
• Some UTM features arein for check-listpurposes, and not forsecurity purposes
• Subscription costs needto be budgeted
24
Four Key Tactics for UTMs
Nothing is Free• Adding security services
to your network at anypoint will cost you time,money, and reliability.If you don’t budget forit, how are you going topay for it?
A Strong Perimeteris a Good Thing• But a deep defense is a
better thing. Don’t letmoney spent on theedge deceive you.
The Devil Is In TheDetails• Understand exactly what
features of perimeterdefense you need. Ifyou don’t need it, don’task for it.
Do What MakesSense• Natural consolidation is
a good thing. Forcingconsolidation is a badstrategy.
25
How do I make a business casefor UTM?Will UTM save me money,really?
26
Perimeter Intrusion Defense issomething you already have The question is: how do we grow perimeter
security? Should we use UTM or not?
Do you addadditional services
to a UTM-ishfirewall?
Are yourperimeterdefenses
adequate?
Do you addstandalonedevices at theedge?
27
How a Normal Business Decision isSupposed to be Made
BusinessRequirementsand Needs
IT or MISProject, Action,
or Service
“Customers need tobe able to see thestatus of orders,including shippingand trackinginformation.”
Project: Web-basedportal into SAP toshow order status;link to UPS via XMLfor shippinginformation
28
The problem with security it that itdoesn’t solve direct requirements
BusinessRequirementsand Needs
IT or MISProject, Action,
or Service
??? Project: Upgrade ourexisting firewall toUTM version to addIntrusion PreventionSystem on Internet-facing links
29
So most security people buildframeworks…
Identify assets anddefine their value
Identify threatsto assets
CalculateSLE = (EF x Value) + Downtime
SLE = Single LossExpectancyEF = Exposure Factor(0-100%)ALE = Annual LossExpectancyARO = Annual Rate ofOccurrence (0-100%)
CalculateALEbefore = ARObefore * SLEbefore
Figure out a solutionthat mitigates risk
Change EF,ALE, and ARO
CalculateALEafter = AROafter * SLEafter
Compare ALEbeforewith ALEafter
30
Even if the numbers are largelybogus, you can ask yourself…
Compare ALEbeforewith ALEafter
Is the amount ofmoney I amproposing to
spend LESS orMORE than thechange in ALE?
∆ = ALEbefore- ALEafter
31
But your typical CxO doesn’t want tosee the framework “The CIO wasn't going to look at the twenty seven eight-by-
ten color glossy pictures with the circles and arrows and aparagraph on the back of each one explaining what each onewas to be used as evidence against us.”
(with apologies to Arlo Guthrie)
So what do I do?If there’s no requirement,
Am I wasting time & money?
32
You can fall back to the SecurityManager’s Best Friend The Fear, Uncertainty, and Doubt Strategy
Find out what newspaper the CxO reads
Get a Subscription and Read It(Hint: you may have to touch paper to do this)
Wait until there is a story about some awfulsecurity thing happening to someone, somewhere
Run into CxO’s office withunsigned purchase requisitionfor random piece of security
SW/HW. Tell him/her this willkeep them out of the
newspaper.
33
When you add these newtechnologies, there are OpEx costs UTM technology is
moving from a CapExmodel to an OpEx model
Adding security servicesadds management costswhether UTM ordedicated
It’s not a questionof one-timeexpenses.
It’s a question ofcontinuing costs!
34
For example, let’s suppose you likethe ZyXel ZyWALL UTM 70 firewallCapital Cost: $1,588.00 1 Year: Anti-Virus and
Intrusion Prevention:$362
1 Year: Anti-Spam: $202 1 Year: Content Filtering:
$299
Capital:$1,588.00
Security Services:$863.00
35
But wait, there’s more…Hardware
maintenance tasks Firewall configuration
management, @ 24hours/year
Periodic SoftwareUpdates, @ 12hours/year
Softwaremaintenance tasks
Anti-virus management, @ 12hours/year
Intrusion Preventionmanagement, @ 48 hours/year
Content Filtering management, @24 hours/year
Anti-spam management, @ 48hours/year
Capital:$1,588.00
Security Services:$863.00
Management Time: 168hours/year, or about $6,500.00
36
How about the SonicWALL PRO 2040?
Capital Cost: $1,995.00 1 Year: Anti-Virus andIntrusion Prevention:$695
1 Year: Content Filtering:$995
Capital:$1,995.00
3 year Service costs:$4,788.00
(special package deal)
37
How about the Netscreen SSG20?
Capital Cost: $1,100.00 1 Year: Anti-Virus, IPS,Content Filtering, andAnti-Spam: $700
Capital:$1,100.00
3 year Service costs:$2,100.00
38
You can always save money usingOpen Source technologies
ZyXel Proposal(1 year costs)
Capital: $1,588 Support: $863 Overhead: 168 hours,
$6500
Total: $8,951
Open Source Proposal(1 year)
Capital: $000 Support: $000 Overhead: 336 hours,
$13,000
Total: $13,000
OK, I just put this in here as flame bait.But the point is real: overhead costs for thistechnology dominate acquisition costs
39
All this tells us some very unpleasantthings It’s hard to justify
spending money onsecurity, because theROSI (Return onSecurity Investment) orROI (Return onInvestment)
The cost for thehardware is veryreasonable, but…
The cost for the ‘service’can add 50% to 100% tothe total each year,and…
Your overhead andmanagement costs are acontinuing burden
40
Tips and Hints:The Business Case for UTM Security DO make the calculation of
costs and expected benefitsfor any intrusion defense.• Learning IPS might be a lot
of fun, but if it doesn’t bringenough value, maybe it’snot right.
DO NOT fail to budget forsupport and subscriptions.UTM firewalls withoutupdates are doorstops.
DO prioritize based on yourrequirements and risks.DO NOT pick servicesbecause they came with theUTM firewall you alreadybought.
DO NOT depend on FUD tosell security. But DO takeadvantage of it whenopportunity presents itself.
Thanks!
Joel SnyderSenior Partner
Opus Onejms@opus1.com