CyberoamWhite paper

Cyberoam’s Layer 8 Technology

Protecting the weakest link in

your security chain – the USER!

www.cyberoam.com I sales@cyberoam.com

Cyberoam's exclusive Layer 8 technology which treats user identity as the 8th Layer or the human layer in the network protocol stack, enabling organizations to overcome the limitations of conventional UTMs/firewalls which bind security to IP addresses alone. By implementing Layer 8 security in their networks, administrators can gain real-time visibility into the online activity of users while creating security policies based on their usernames.

Introduction

Imagine an Internet without the facility of domain name servers (DNS) - would you rather keep count of the thousands of machine-readable, numeric IP addresses (192.168.8.1, etc.), or simply recall your favorite domain name: yahoo.com, facebook.com, etc?

Now, think about the frustrations of a typical network administrator whose duties include reviewing logs generated by the web and mail activity of several hundred users, retrieving each and every computer name by its unique IP address and managing multiple user accounts.

The problem is further compounded by a shared, and dynamically-changing computing environment where administrators have to regularly update Internet access privileges for changing user scenarios: new joinees, leavers, employees in new roles. Furthermore, in dynamic DHCP and Wi-Fi environments, users can often cover their tracks by hiding behind the common IP address or machine to visit inappropriate websites, videos, infected files and more. In the absence of user-centric logs and reports, it is impossible to keep track on which user opened a specific website or application at a particular time.

It may get worse due to the rise of insider threats at the database level. Data demands of various users, poor access controls and excess permissions leave systems vulnerable to malicious internal users, especially the ones with technical knowledge of the database systems. Without being traced, they can exploit scripts, programs, toolkits, IP spoofing or unauthorized backdoor accounts, which can lead to full-blown database disclosures.

The User: the Weakest Security Link in an

Organization

As per the traditional perimeter model of security, organizations would be

more concerned about outside-in threats where firewalls, IDP etc. detect

common phishing frauds, hackers and more. Currently, following such an

approach neglects the most critical and weak security component: the

human element. In an inside-out threat scenario, human users, either out

of sheer ignorance or malicious intent, can become the weakest link in the

security chain. As mentioned previously, shared computing environments

such as the multiple user-per machine setting are conducive for viruses,

Trojans, worms etc. to propagate unchecked in the networks. They also

encourage users to freely surf prohibited sites e.g. pornography, proxies

etc. by hiding behind the IP address or someone else's machine.

Many security architects would admit that their networks often resemble

what is known as "Coconut security": hard on the outside, soft in the

inside. All the protection and security resources are directed towards the

perimeter, trying to keep the bad guy disarmed. However, the soft inside is

what the attackers are really after and the security solution is ultimately

about getting to the crux of it all i.e. knowing the insider threat source for

instantaneous action against security breaches.

For instance, many employees use instant messengers, webmail

attachments and social networking sites without authorization which can

create avenues for malware and data leakage. In another scenario, heavy

downloading and online gaming by some users can take its toll on network

performance as these are bandwidth-eating applications. Sometimes,

even a single user can bring the entire network to a crawl as it gets flooded

with unnecessary traffic.

The problem gets more serious with malicious insiders. For instance, if a

competitor had to gather information about an organization's trade

secrets, what would be easier - employing the services of a hacker, or

simply targeting an internal employee with access to the organization's

confidential information?

A study by Ponemon Institute found that 59% of employees who either

quit or are asked to leave take confidential or sensitive business

information upon their departure. There are many reasons such users like

to hurt the company; it could be a feeling of resentment due to an

overlooked promotion or salary raise, or just the desire to use existing

knowledge gained in the company with a new employer.

www.cyberoam.com I sales@cyberoam.com

In August 2009, DuPont filed a lawsuit against

a research scientist for breach of contract and

misappropriation of trade secrets for stealing

a large number of files. Earlier, another

DuPont research scientist was sentenced to

prison for 18 months.

An ex-employee casually sends a chat

message on Yahoo messenger, a standard

mode of communication in an organization,

asking ex-colleagues to look into his new

photos hosted on an unknown URL. The

unsuspecting ex-colleagues click on the link

which prompts them to enter their Yahoo

log-in IDs and passwords. Unknown to them,

the log-in information is now captured by

the ex-employee. In this way, he has a good

repository of corporate passwords. The

attacker now has the ability to log on into

Yahoo! anytime, under the disguise of his

former colleagues, misguide customers and

put the organization at risk.

Some of these attackers use social engineering tactics, where they use persuasion skills on the target victims to create gaping security holes in the network.

Cyberoam Layer 8 (Human Layer) technology;

Security built around the User's Identity

Most organizations have learned to live with the fact that user online

behavior is always unpredictable and there's nothing much that can be

done no matter how strict the Internet access policies are made. This

limitation can be attributed to existing firewalls/UTMs which are based on

the association of the source IP address and the destination IP address with

no visibility into source of attacks the user. They are unable to apply user-

specific rules to allow multiple machines to share a single IP address.

According to these systems, the user's identity is not part of the rule

matching criteria considered by the firewall.

Accordingly, Cyberoam's Layer 8 concept was derived out of the need for a

more robust network security system capable of considering a user's

identity as part of the firewall rule matching criteria. It treats user-identity

as the 8th Layer or the HUMAN layer in the network protocol stack (see

below figure), thus, attaching user identity to security while

authenticating, authorizing and auditing the network. This takes

organizations a step ahead of conventional security appliances which bind

security to IP-addresses.

www.cyberoam.com I sales@cyberoam.com

Using Layer 8, the administrator is able to create a permanent profile for

the user which makes all future authentication possible based on identity-

based decision parameters such as username, IP address, MAC address

and session ID. The profile is specific to the user and does not ever change

no matter what machine he/she operates from in the organization.

Once authenticated, the user may be authorized by the administrator

users to gain access to the Internet based on various usage parameters

including access time, Internet quota, security policies, web filtering,

Application controls, bandwidth restrictions and instant messenger

controls. Finally, audit logs and reports including identity information

related to the authorized user are created and stored in the system.

User Identity-based Security Policy Controls

Cyberoam network security appliances (UTM, Next Generation Firewalls) offer security across Layer 2-Layer 8 using Identity-based policies

Cyberoam's Layer 8 Technology treats “User Identity” as the 8th Layer in the protocol stack

Application

Presentation

Session

Transport

Network

Data Link

Physical

USER

L7

L8

L6

L5

L4

L3

L2

L1

00-17-BB-8C-E3-E7

192.168.1.1

TCP, UDP

L2TP, PPTP

ASCII, EBCDIC, ICA

“Cyberoam's Layer 8 security system treats user-identity as the 8th Layer or the HUMAN layer in the network protocol stack, thus, attaching user identity to security. This takes organizations a step ahead of conventional security appliances which bind security to IP-addresses.”

www.cyberoam.com I sales@cyberoam.com

Practical implications of Layer 8

Implementing Layer 8 in their networks enable organizations to align their

security decisions based on the actual human identities of users instead of

IP addresses alone. This translates into a proactive security approach

(instead of a reactive one) where security administrators are able to plan

ahead, think through what security issues may come up in the future, and

successfully make front end efforts to prevent surprise insider attacks. In

view of that, a Layer 8-enabled organization is more capable of foreseeing

what it coming down the road, and where the attackers are coming from.

Measuring User Threat Quotient (UTQ): In an era of fluidity of network

perimeters where employees, customers and partners require access to

different levels of sensitive business information, administrators feel the

constant need to review the changing threat scenario posed by various

users. This is done by measuring their user threat quotient (UTQ). In

making the administrator task easy, Layer 8 involves identity-based

heuristics.

Once, the required information is gathered, administrators can calculate

the UTQ by rating various users based on various parameters. For example,

the susceptibility of users to attacks may be ascertained by their employee

status whenever there's a new joinee or a terminated/expelled employee,

the threat incidence will become more pronounced because

administrators notice deviations from normal acceptable user behavior.

Administrators would also be interested in analyzing “who is doing what

and when” in the network. This would furnish details such as usage of

anonymous proxies, downloading hacking tools, accessing data off-hours,

and the total amount of data downloaded. Any malicious activity by users

would automatically raise the red flag because the administrator would

have the entire context of his/her activity repeat wrong password

attempts, intrusion/hacking attempt alerts and more. It also enables

individualized education for the end user.

Adding speed to security: Organizations often go to great lengths in

securing their physical infrastructure. They may store highly sensitive

information in a special computer room, lock server areas, deploy CCTV

cameras and anti-theft alarms and restrict contact access of employees to

different departments/zones of a building.

What if it were possible to build in similar levels of protection to prevent

information theft Layer 8 protects corporate data and servers from

unauthorized outside access while granularly preventing chosen internal

users from accessing LAN-residing sensitive data such as customer records,

tenders and contracts, internal files and applications and more. Since,

access control policies can be configured directly based on username

rather than through IP addresses alone, administrators can take faster

decisions on preventing unauthorized entities (outsiders, malicious

insiders etc.) from breaching past the company's perimeter. This

automatically adds speed to security.

Who is doing what?

Who is the attacker?

Who are the likely targets?

Which applications are prone to attack – who accesses them?

Who inside the organization is opening up the network? How?

www.cyberoam.com I sales@cyberoam.com

Cyberoam’s integrated security built around Layer 8:

Cyberoam has incorporated the Layer 8 security paradigm in its Next Generation Firewall (NGFW). The Layer 8 design penetrates

through each and every security module of these appliance and enables administrators to apply security, connectivity and

productivity policies on users.

User

Layer 8 Security appliance individual users

Firewall

Wireless WLAN Security

Cyberoam iView Logging and Reporting

Intrusion Prevention System

! Embed user identity in rule-matching criteria! Role-based administration ! Granular IM, P2P & Applications control! Prevent IP spoofing attacks! VLAN support: work & profile-based groups

! Identity-based IPS policies for users and groups

! Identity-based alerts and reports! Prevent user-targeted blended threats,

backdoors etc

! Segmented network for employees and guests

! No common pre-shared keys: prevent information theft

! Layer 8 authentication and identity-based reports

! Intrusion events and policy violations! Identity-based reporting: “who is doing what”! Web surfing trends and search reports! Top unproductive sites and users! Virus and intrusions reporting

Bandwidth Management! Committed bandwidth for regular users! Traffic routing based on user needs for

assured QoS! Establish priorities based on users,

categories, applications! Time-based bandwidth allocation for

users

Application Layer 7 Visibility and Controls! Visibility and controls on applications'

usage by users! Organization-wide application access

policies for individual users!User hierarchy-based applications access

control

Instant Messenger controls! Prevent employees from idle chat! Block file transfers, webcams, video! Restrict who can chat with whom! IM audit logs to study user behavior ! Keyword-based content filtering on chat window

Content Filtering! Policies on users, groups, departments,

hierarchy! Block users from malware-laden sites! Blocking IM, P2P applications & proxies! Know “who is surfing what”

The Cyberoam identity-based firewall offers an interface for

achieving unified security allowing rules for all features to be

configured and managed from the firewall page with complete

ease. Layer 8 binds the security features to create a single,

consolidated security unit and enabling the administrator to

change security policies dynamically while accounting for user

movement joiner, leaver, rise in hierarchy etc.

Through the Cyberoam Intrusion Prevention System, Layer 8

identity-based policies can be applied for users as well as user

groups. Identity-based alerts and reports are generated

everytime DoS/DDoS attacks, malicious code transmission,

backdoor activity, blended threats occur due to user activities.

Cyberoam's identity-based reporting module, Cyberoam iView,

pinpoints precise network activity for each and every user. The

iView dashboard shows all network attacks on a single screen

with third level drill-down reports (1000+ reports) for

investigating the attacks, and the users behind them.

Cyberoam's identity-based content-filtering feature

streamlines the management of corporate Internet access by

monitors Internet traffic generated by each user, the time one

spends on Internet resources and allows setting access

limitations based on time and day of the week. In addition,

Cyberoam network security appliances offer a user, time and

role-based bandwidth management approach which ensures

users consuming huge amounts of bandwidth for non-

productive work are prevented at the time of policy-making.

Cyberoam Instant Messaging Controls with Layer 8 identity-

based approach keeps productivity under check by allowing

administrators to control who can chat with whom over all

communication mediums like text chat, webcam, file transfer.

Layer 8 across Cyberoam’s entire Security Portfolio

Wireless WLAN security : Cyberoam network security

appliances offers high performance, Layer 8-based security over

WLAN networks in order to secure wireless networks to the

same extent as wired networks. Cyberoam offers strong user

authentication, Internet access controls and reports with

identity-based approach and offers separate Guest and

Employee Network Access. With this, it has the ability to trace

user specific activities while reducing the risk of information

theft and liability of cyber terrorism attacks.

Meeting regulatory compliance norms : Given the magnitude

of threats to employee, customer, and corporate data,

compliance regulations such as HIPAA, GLBA, SOX, PCI DSS, and

more are forcing organizations to undertake security measures

that control the access and activity of users. Faced with

penalties in the case of non-compliance with regulations and

loss of reputation in the case of data loss, organizations are

under growing pressure to implement compliance measures

within their network premises.

Cyberoam Product Portfolio

Virtual Security Appliances Cyberoam Central Console (CCC) CR iView (Logging & Reporting)CR NG series NGFWsCR NG series UTMs

www.cyberoam.com I sales@cyberoam.com

Toll Free Numbers

USA : +1-877-777-0368 | India : 1-800-301-00013

APAC/MEA : +1-877-777-0368 | Europe : +44-808-120-3958

Cyberoam Awards & Certifications

C o p y r i g h t © 1999-2014 Cyberoam Te c h n o l o g i e s Pvt. L t d. A l l R i g h t s R e s e r v e d . Cyberoam &

Cyberoam logo are registered trademarks of Cyberoam Technologies Pvt. Ltd. Ltd. ®/TM: Registered trade

marks of Cyberoam Technologies Pvt. Ltd. Technologies or of the owners of the Respective

Products/Technologies.

Although Cyberoam attempted to provide accurate information, Cyberoam assumes no responsibility for

accuracy or completeness of information neither is this a legally binding representation. Cyberoam has the right to

change, modify, transfer or otherwise revise the publication without notice.

www.check-mark.com

CERTIFIED

VPNC

InteropBasic

AES

Interop

CERTIFIED

VPNC

SSL Advanced Network Extension

SSL Basic Network Extension

SSL JavaScript

SSLFirefox

SSLExchange

SSLPortal

PROPCRECOMMENDED

RECOMMENDS

BEST BUY

EDITOR’S C H O I C E

www.itpro.co.uk