Sourcefire下一代IPS解决方案介绍

1、SourceFire 下一代入侵防御解决方案议程SourceFire 公司介绍SourceFire下一代入侵防御解决方案介绍SourceFire 产品线介绍SourceFire收购对Cisco的意义Sourcefire is a Trusted Security Partner10 年以上安全经验从网络安全到恶意软件防御NGIPS, NGFW, Malware Protection | Physical, Virtual, Cloud客户遍及180多个国家创新: 52+ 获奖专利世界级研发队伍支持开源系统Snort, ClamAV, RazorbackIPS MQ LeaderAmericas

2、 Fastest-GrowingTech Companies 2012下一代IPS解决方案的领导者 Sourcefire has been a leader in the Gartner Magic Quadrant for IPS since 2006.SNORT- 开源的入侵防御引擎/众多SNORT的fans Sourcefire专注于威胁的安全模型攻击周期攻击之前攻击之中攻击之后评估加固实施策略检测阻挡确定影响范围控制传播修复网络 | 终端 | 移动设备 | 虚拟化Point-in-TimeContinuous你无法保护你了解不到的资产Sourcefire的安全方法Agile Secur

3、ity 针对攻击发生之前/之中/之后的持续安全过程自动调整安全策略保证安全响应实时实施，永久有效将看到的数据转换为关联信息Sourcefire Agile Security安全职能Management Center硬件平台 | 虚拟化平台下一代防火墙下一代入侵防御高级恶意软件防护情景感知主机 | 移动平台硬件平台 | V虚拟化平台议程SourceFire 公司介绍SourceFire下一代入侵防御解决方案介绍SourceFire 产品线介绍SourceFire收购对Cisco的意义 ATTACK CONTINUUMNGFWNGIPSAMPSourcefire的主要产品网络设备虚拟化平台终端软件

4、FIreSIGHT 管理中心Gartner 定义的 下一代IPS & 下一代防火墙下一代IPS(NGIPS)Standard first-gen IPSApplication awareness and full-stack visibilityContext awarenessContent awarenessAgile engine下一代防火墙(NGFW)Standard first-gen firewallApplication awareness and full-stack visibilityIntegrated network IPS Source:“Defining Next-

5、Generation Network Intrusion Prevention,” Gartner, October 7, 2011. “Defining the Next-Generation Firewall,” Gartner, October 12, 2009 “Next-generation network IPS will be incorporated within a next-generation firewall, but most next-generation firewall products currently include first-generation IP

6、S capabilities.“攻击 之前策略控制扫描环境Attacks, Devices, OS, Applications, Flow, Users, Vulnerabilities, Files策略部署Policy enforcement (whitelist), Access & Application Control, Auto IPS Tuning评估策略攻击之中识别阻挡检测保护#1 Detection Rate (99% - NSS)100% MS Vulnerability Coverage16,000+ Snort RulesBig Data Cloud AnalysisSe

7、curity Intelligence/ IP ReputationOpen Rules攻击之后分析整改确定危害范围Analyze ImpactIdentify Compromised MachinesDetermine Point of Entry and Propagation 控制传播范围整改防火墙应用控制URL 过滤漏洞防护高级恶意软件防护IPS高级恶意软件防护IDS关联分析网络行为分析抓包分析高级恶意软件防护Sourcefire使用全过程的、系统化的连续防御手段对网络和终端的了解从而实现自动防御OSUsersDevicesThreatsApplicationsFilesVulnera

8、bilitiesFlow 主动了解你的环境（FireSight）攻击之前策略控制发现网络中的所有设备（Firesight）操作系統开放的服务客户端应用程序登录信息版本服务器端应用程序只有选择SourceFire才可以完整看到网络环境用户识别Packet Capture 抓包分析移动设备的自动发现详尽的IT现状分析应用流量分析应用风险分析谁在使用这些应用?使用者使用的什么操作系统?使用者还干了什么?使用者在什么时间访问的应用?策略部署:自动进行公司策略的部署应用控制:减少来自应用和客户端的威胁URL过滤:执行公司策略提高生产率和来自互联网的威胁自动调优:根据网络的变化自动调整策略部署策略进行控制

9、（NGFW）攻击之前可见,可控识别超过了1000多种应用和设备! 自动调整策略、规则Agile Security攻击之中智能分析和防护检测和防御攻击（NGIPS）Sourcefire IPS 规则16,000+ Snort 规则#1 检测效率(99% - NSS Labs)Sourcefire VRT开发开放可监控, 业界标准模式基于漏洞的特征高速单次解码引擎Security I智能/IP 名誉库Sourcefire VRTBots and C&CKnown AttackersBogus IPsPhishing/Spam IPsOpen proxies/relaysMalware IPs加入自

10、定制智能Third-party feedsGovernment-provided feedsUser-created feedsor阻挡恶意IP* Can be updated every two hours安全策略规则的描述2 SEU/SRU, 1 VDB 每周更新威胁库2 10 CVEs每天签名库变化180,000 每日恶意软件提交4,310 new IPS 规则 100%同一天保护微软漏洞发布98.9%行业 最优 每个 NSS Labs IPS group的漏洞覆盖率上一年统计精确零日的攻击阻挡NGIPS控制恶意攻击FireSIGHT全面情景感知 Security Intelligenc

11、e黑名单控制全面的访问控制By network zone, VLAN, IP, port, protocol, application, user, URL 完美集成IPS policiesAccess PoliciesFile control policiesSourcefire 攻击阻挡流程Firewall PolicyIPS PolicyFile policyMalware policyControlled trafficSwitching, Routing VPN, High AvailabilityURL awarenessSecurity IntelligenceIP Geo-lo

12、cation攻击之后分析和整改影响力分析Match the attack:Match, Port OpenLikely VulnerableNo Match, Port OpenLess LikelyNo Match, Port ClosedNot VulnerableAttack againstAgainst the targets OS, running programs, and their vulnerabilities:Match, Port OpenLikely Vulnerable11014202020Others: 64101.1% High Impact Investigat

13、e98.9% Less RelevantDramatic time savings and security focus关联分析查看攻击相关信息，比如:什么时间发生?谁被攻击?攻击者还与谁通讯过?被攻击主机的情况分析?攻击从哪里发起?确定危害的范围弱點(攻擊目標有已知弱點)疑似弱點(攻擊目標的操作系統或服務，已修補弱點)無弱點(無此服務)不存在(無此主機)入侵事件減少傳統IPS的 99%事件入侵事件评估分析流量分析网络异常检测网络行为分析智能安全IP 名誉库 可以阻止和告警:Botnet C&C TrafficKnown AttackersMalware, Phishing, and Spam

14、 SourcesOpen Proxies and Relays生成自己的名誉库从 Sourcefire 或第三方下载整体安全的智能化广泛理解连续分析联合响应大数据分析控制和整改攻击之后安全整改整改和危害分析攻击 之前策略控制扫描环境Attacks, Devices, OS, Applications, Flow, Users, Vulnerabilities, Files策略部署Policy enforcement (whitelist), Access & Application Control, Auto IPS Tuning评估策略攻击之中识别阻挡检测保护#1 Detection Rat

15、e (99% - NSS)100% MS Vulnerability Coverage16,000+ Snort RulesBig Data Cloud AnalysisSecurity Intelligence/ IP ReputationOpen Rules攻击之后分析整改确定危害范围Analyze ImpactIdentify Compromised MachinesDetermine Point of Entry and Propagation 控制传播范围整改防火墙应用控制URL 过滤漏洞防护高级恶意软件防护IPS高级恶意软件防护IDS关联分析网络行为分析抓包分析高级恶意软件防护So

16、urcefire使用全过程的、系统化的连续防御手段Sourcefire的安全团队VRTPrivate & PublicThreat FeedsFile Samples(180,000 per day)Advanced Microsoft & Industry DisclosuresFireAMPCommunitySnort & ClamAVOpen Source CommunitiesSourcefire AEGIS ProgramIPS RulesMalwareProtectionReputationFeedsVulnerabilityDatabaseUpdatesSourcefire Vu

17、lnerabilityResearchTeamSandboxingMachine LearningBig Data InfrastructureSPARKProgramHoneypotsSandnets议程SourceFire 公司介绍SourceFire下一代入侵防御解决方案介绍SourceFire 产品线介绍SourceFire收购对Cisco的意义Sourcefire 智能解决方案COLLECTIVESECURITYINTELLIGENCE管理中心APPLIANCES | VIRTUAL下一代防火墙下一代IPS高级恶意软件防护CONTEXTUAL AWARENESSHOSTS | VIR

18、TUAL MOBILEAPPLIANCES | VIRTUALSourcefire FirePOWER 产品展示LCD 显示屏“Quick and easy headless configuration”设备堆叠“Scale monitoring capacitythrough stacking”网络连接“Change and add connectivityinline with network requirements”FirePOWER加速“For best in class throughput, security,Rack size/Mbps, and price/Mbps”轻量级管

19、理Minimal operational impact双电源固态硬盘“Highest reliability and availability”FirePOWER technoogy is a specialized network processor and custom designed platform that accelerates data acquisition and classification故障直通“Maximum network uptime”网络模块(“NetMods”)接口模块4 x port 1Gbps Copper4 x port 1Gbps Fiber (SX

20、)2 x port 10Gbps Fiber SR2 x port 10Gbps Fiber LRCluster Module 与第二台设备连接所有的模块支持bypass/fail openField replaceableSourcefire 产品线FireSIGHT Defense CenterFirePOWER Appliances集群与堆叠技术 DC1500DC3500PERFORMANCEDC7503D701050 Mbps3D7020 100 Mbps3D7110 500 Mbps3D71201 Gbps3D81304 Gbps3D81202 Gbps3D8140 6 Gbps3D

21、8250 10 Gbps3D8260 - 20Gbps3D8270 - 30Gbps3D8290 - 40GbpsSSL Appliances Virtual Appliances3D7030 250 Mbps部署架构InternalDMZPerimeterINTERNETTechnologyDefense Center虚拟化部署虚拟IPS 识别潜在问题惡意流量网络间的意外橋接违规策略Virtual SensorVirtual SensorVirtual Sensor3D Sensor3D SensorDefense Center3D SensorVMware ESX ServerAppOSA

22、ppOSAppOSOSVSwitchAppOSAppOSOSAppAppProductionDevelopmentVSwitchspanAppOSAppOSAppOSOSVM3VM1VM2VM4AppVSwitchVSwitch多种方式实现恶意软件防护主机恶意软件防护Small (Size of a print driver)Watches for move/copy/executeTraps fingerprint & attributesQueries cloud for file depositionSaaS ManagerSourcefire SensorFireSIGHT Manag

23、ement CenterNo agent requiredAMP Malware license #Detection Services & Big Data analytics基于网络的恶意软件防护基于主机/虚拟平台/移动终端的恶意软件防护eStreamer API 实时获取Sourcefire的事件数据Remediation API 基于事件信息，在其他设备上进行动作 Host Input API 将第三方信息导入到sourcefire里，便于关联Database Access 第三方系统访问sourcefire的事件和主机信息Sourcefire API 介绍Licensing 介绍1

24、Requires Protect License 2 Requires Control License 3 Requires FirePOWER-based appliances 4 Requires Defense Center with FireSIGHT License“*” Note: the IPS features are included in the AMP edition but are not marketedNetwork ProductsFirePOWER Appliances 8000 and 7000 Series (with v5.x)Awareness Only

25、AMPNGIPS NGFW Standard Appliance Features Configurable Fail Open InterfacesConnection/Flow LoggingNetwork, User, and Application Discovery 4Traffic filtering / ACLsProtectNSS Leading IPS EngineAdd-on License*Comprehensive Threat Prevention*Security Intelligence (C&C, Botnets, SPAM etc)Blocking of Fi

26、les by Type, Protocol, and DirectionBasic DLP in IPS Rules (SSN, Credit Card etc.)*Control1Access Control: Enforcement by ApplicationAdd-on LicenseAdd-on LicenseAdd-on LicenseAccess Control: Enforcement by User Switch, Routing, and NAT Options 3VPNIPSec Site to Site VPN 2Add-on LicenseAdd-on License

27、Add-on LicenseURL FilteringURL Filtering Subscription 2Annual FeeAnnual FeeAnnual FeeAnnual FeeMalwareProtectionSubscription for Malware Blocking, Continuous File Analysis, Malware Network TrajectoryAnnual FeeAnnual FeeAnnual FeeAnnual Fee10%10% / yr.20% / yr.FinancialEducationTelco & CommercialNSS

28、Labs 测试报告IPS Methodology v6.2 (2012)SourcefireFirePOWER8260McAfee NSPM-8000HP SecurityTP-6100NJuniper SRX 3600IBM SecurityGX7800Protection98.90%95%91.1%88.8%77.5 %Real World IPS Throughput34Gbps(20 Gbps)12.3 Gbps(10 Gbps)10 Gbps(8 Gbps)3.7 Gbps(10 Gbps)11.4 Gbps(20 Gbps)Concurrent Connections60 M*5

29、M15 M1.2 M15 MTCO (per Mbps Protected)$15$31$36$81$44Sourcefire ConfidentialInternal Use OnlyNSS Labs 测试报告- 下一代防火墙SourcefireCheck PointPANSonicwallStonesoftProtection98.9%86.3%91.2%94.8%93.9%Real World Throughput10Gbps2.6Gbps3.8Gbps16.2Gbps1.6GbpsVendor Rating10Gbps17Gbps2Gbps30Gbps1GbpsConcurrent Connections15,000,000413,0001,040,14810,000,0001,055,000 NGFW Methodology v4.0 (2012)议