30
SonicWALL UTM Overview Jon Piro NA Channel SE
SonicWALL UTM Overview
Jon PiroNA Channel SE
All Rights Reserved2
SonicWALL Strengths
SonicWALL is in a leadership position across our key markets andgaining share.
SonicWALL has a growing, global install base of over 1 million customers
Our value is very hard to copy in the marketplace.1. Excellent partnership with CDW to support our customers2. Broad solution set for a wide range of customer needs3. Unique deep packet inspection technology4. Services model for dynamic security, productivity and support
All Rights Reserved3
Global Leaders Choose SonicWALL
Crabtree & Evelyn
The Need for Security2007 Security Trends
All Rights Reserved5
Today’s Reality
1. Organizations and people are dependant on technology2. Attacks are now both obscured and actionable3. Time from vulnerability to exploit is shorter
Perpetuated by:Outdated technologyContinual security
changesLimited controlHuman factors
The new attackers:Cybercrime Organizations Mafia OrganizationsProfessional HackersCompany insiders
Susceptible Users
All Rights Reserved7
Why Would Anyone Target Me?
“I don’t run a web-site or any services”“I only use my computer for work/email/browsing”“I don’t store sensitive information on my computer”“I have a personal firewall and AV software”
True – very few individuals are selected as targets, but anyone unprotected can be caught in the widely cast netOnly with understanding of the scope and severity of the threat can we dispel the dangerous misconception of invisibility
All Rights Reserved8
The Attack: Deception
Leveraging TrustSending IM and email to buddy/contact lists from infected machines since the recipient knows/trusts the sender
Escalating the “Authenticity” of the FraudProfessionally designed phishesMulti-layered attacks, such as the recent Allied Irish Bank scam
Following the MassesGoing where the people are, leveraging the inherent trust of the portal. In 2006:
Wikipedia - http://www.heise.de/english/newsticker/news/80417MySpace - http://seclists.org/fulldisclosure/2006/Nov/0275.html
All Rights Reserved9
“http://142.176.247.82/SigninP1212...”Phishers Turn Pro
Really professional phish
Source: SonicWALL SMART Lab
All Rights Reserved10
Phishing: The Con Must Convince
“Undetectable” Allied Irish Bank scam uses a layered attack: Uses previously installed malware to conceal the fraudWhen a user browses to AIB, the virus activates and superimposes itself over the real page
All Rights Reserved11
The human factor cannot be ignored:
30% to 40% of employee Internet use is not work related*
37% of the US population use IM*
55% of online users have been infected with spyware*
Instant messaging security threats double every 6 months*
*Intl Data Corp * http://www.postordre.org/be-cm/files/402/EMOTA+Newsletter++Issue+082006.htm *Bigfoot Interactive *Gartner
21%
4%
10%
14%
16%
29%
44%
47%
54%
0% 10% 20% 30% 40% 50% 60%
None
Hacking Tools
Illegal Software
DVDs
P2P File Sharing
MP3s
Streaming Media
Games
Personal IM
Non-work related activities
Bottom line: Network misuse provide the fuel for today’s
organized crime and workplace productivity issues
Why? Human Behavior Contributes
All Rights Reserved12
MyTob Worm
Discovered on: Variant returned again January 2007W32.Mytob.@mm is a mass-mailing worm that propagates via network shares and through email Opens a back door into the affected computerSelf protects by redirecting AV updates to local computer
All Rights Reserved13
Step 1: Arrives as an email or buffer overflow
Server ZoneUser Zone
Copies itself as %System%\msnmsgs.exeAdds the value: “MSN” = “msnmsgs.exe”to registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\OLEHKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
W32.Mytob@mm runs every time Windows starts
All Rights Reserved14
All Rights Reserved15
All Rights Reserved16
Step 3: Logs in to an IRC channel
Server ZoneUser Zone
Connects to an IRC channel on the irc.blackcarder.net domain on TCP port 6667 Advertises host PC IP addresslistens for commands that allow the remote attacker to perform the following actions:
Download filesExecute files Delete files Update itself Get uptime information
IRC Server
All Rights Reserved17
Step 4: Generate potential targets and attack
Server ZoneUser Zone
Generates random IP addresses
Exploits the RPC/DCOM vulnerabilityAllows the program to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service
Exploits the Windows LSASS vulnerabilityThis is a buffer overflow that allows remote code execution and enables a malicious user to gain full control of the affected system
Random IPs
All Rights Reserved18
Step 5: Uses its own SMTP server to send itself
Server ZoneUser Zone
Searches for email addresses on local computer.wab.adb.tbb.dbx
From: “Spoofed”Subject:
hello hi error status
Find Email Addresses
.aspphp.sht.htm
Mail Transaction Failed Mail Delivery System SERVER REPORT (No Subject) (random alphabets)
SonicWALL’s ProtectionAnswers & Solutions
All Rights Reserved20
The Four Key Efficiency Elements for Business
Data
Technology, Applications & Users
BusinessCommunication Company
Networks
Organizations have evolved and are dependent on technology and access to information
Organizations have less resources to work with
High price of security problems, downtime and productivity loss
Addressing the four technology forces are critical for success
All Rights Reserved21
“46% of security officers spend more than a third of their day understanding security threats”
“For 52% of the networks the perimeter is the only defense”
“38% of small and medium enterprises (SMEs) do not have enough IT staff”**
“32% of SMEs say a security strategy takes too much time to implement”**
“58% of SMEs say the network is too expensive to maintain properly”*
“Instant messengers and peer-to-peer applications were used in 7 of the top 10 Internet threats”***
Business Pain Points & Requirements
Worry-Free Use
LoweredCost
Securing Assets
Limited resources
Limited CurrentSolution
Lower complexity & managementManagementReporting
Lower total cost of ownershipProductivity Control
Intelligent, adaptable solution Network Intelligence
Automated, zero user interventionDynamicArchitecture
SonicWALL Unified Threat ManagementRequire Security for TodaySecurity
Integration
SMEs want reliable business communications and lower total cost of ownership
Pain Solution Requirements
*Preventsys ** Yankee Group ***Symantec
All Rights Reserved22
Complete Network Protection
All Rights Reserved23
Corporate Network Protection & Mobility
Corporate Networks
Secure Remote Connectivity with “Clean
VPN”
Secure Remote Connectivity with “Clean
VPN”
High-Speed Unified Threat Management Protection
and Prevention
High-Speed Unified Threat Management Protection
and Prevention
Wireless and Wired Services, Content Filtering
and Application Control
Wireless and Wired Services, Content Filtering
and Application Control
Client & Server Protection and Network Access Control Enforcement
Client & Server Protection and Network Access Control Enforcement
SonicWALL Network Security solutions are designed for maximum protection, performance & efficiency and dynamic service capabilities
Secure Virtual Private Network
Protected Traffic
Remote Connectivity
Security Client Enforcement
All Rights Reserved24
Better Protection & PerformanceSolutions Are Not Created Equal
Current FirewallsPort blocking TCP/IP RulesIP RoutingLink Layer
Routers Firewalls Cisco/Fortinet SonicWALLUTM
Intelligent UTM ProtectionScan Unlimited Sized Files & UsersBlock Applications such as SkypeOutbound Spyware ControlContent Filtering/Control & PhishingStream-based file support“Clean VPN” – Protection for VPN Users
Atta
ck S
ophi
stic
atio
n Typical UTM Protection
Limited scanning for Viruses/Worms/TrojansInbound Spyware protectionSNTP, HTTP, IMAP supportContent Filtering
Network ThreatsSimple DoS Attack IP SpoofSmurf Attack
“Highest Risk” ThreatsRootkitsHidden malware in large filesSpyware communication outboundPhishing attacksViruses transmitted to network drivesSkype/Instant Messenger threats
Typical ThreatsDownloaded or emailed VirusesEasy to acquire SpywareMisuse of network resources
SonicWA
LL U
nified Threat Managem
ent
Deeper Inspection & Greater Performance
SonicWALL 130MbpsSonicWALL 130MbpsSS
All Rights Reserved25
SonicWALL UTM Solutions Connectivity
Secure connectivityAccess to resourcesWireless mobilityNetwork availability
Security IntegrationComplete ProtectionExternal PreventionInternal Network Security“Clean VPN”
Intelligence & OptimizationOne point of network controlContent & application filtering Business application prioritization Ease of deployment & management
Management and Reporting
SonicWALL Unified Threat Management Platform
Dynamically Updated Architecture
Security Integration
Productivity Control
Network Intelligence
Client Identity/Integrity
Management and Reporting
SonicWALL Unified Threat Management Platform
Dynamically Updated Architecture
Security Integration
Productivity Control
Network Intelligence
Client Identity/Integrity
Dedicated Content Security
WirelessSmall officeMedium/Large Business
All Rights Reserved26
The New TZ 190
Combine a PC card from your wireless carrier with the SonicWALL TZ 190
to create an instant secure broadband network anywhere
New
All Rights Reserved27
Remote Access Solutions
UnrestrictedUnrestrictedUnrestrictedConcurrent user license
2005010Recommended number of concurrent users
Mid-to-large enterprises with 500 or more employees
Mid size organizations with 500 or fewer employees
Small organizations with 50 or fewer employees
Target Customer
SSL-VPN 4000SSL-VPN 2000SSL-VPN 200
New
All Rights Reserved28
All Rights Reserved29
Q & A
