ICT Security 2010: Le minacce delle nuove tecnologie
-
Upload
alessio-pennasilico -
Category
Technology
-
view
931 -
download
0
description
Transcript of ICT Security 2010: Le minacce delle nuove tecnologie
Alessio L.R. [email protected]
twitter: mayhemsppFaceBook: alessio.pennasilico
Phone/Fax +39 045 8271202Via Roveggia 43, VeronaVia Doria 3, Milanohttp://www.aisgroup.it/[email protected]
Cristiano [email protected]
BDM & SE Italia e Grecia
La tecnologia intorno a me,la sicurezza dentro di me
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Alessio L.R. Pennasilico
Board of Directors: Associazione Informatici Professionisti, CLUSIT
Associazione Italiana Professionisti Sicurezza Informatica
Italian Linux Society, LUGVR, Sikurezza.org
Hacker’s Profiling Project
2
!
Security Evangelist @
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Rischi della Virtualizzazione
accesso all’interfaccia amministrativa
test reachability per HA
vMotion
iSCSI, NFS
3
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Proteggere le VM
Segmentare la rete
Applicare filtri
IDS
Antivirus
4
Friday, 29 October, 2010
Today’s Network Security Requirements
Situational Visibility & Awareness Application Intelligence, Control with Visualization Scanning of all out-going and in-coming traffic
Protection & Risk Management Security effectiveness for maximum catch rates Zero-day protection
Secure Access and ManageabilityFlexible, yet granular controlsMulti-vendor interoperability
ScalabilityTechnology and SolutionsNetwork Performance/ Policy & Administration
ComplianceRegulations and StandardsProof
Physical and virtualized assets
Distributed networks Users and Applications Mobile devices Embedded sensors
2 Copyright 2010 SonicWALL Inc. All Right Reserved.
Friday, 29 October, 2010
Vulnerabilities in the software everyoneuses everyday …
It’s Human Nature …Programmers make mistakesMalware exploits mistakes
Malware propaga+ng at Applica+on Layer
7 Copyright 2010 SonicWALL Inc. All Right Reserved.
Friday, 29 October, 2010
Alessio L.R. Pennasilico
VoIP Risks
I telefoni IP, per funzionare, possono eseguire diverse azioni preliminari, vulnerabili a diversi attacchi:
✓ottengono l'indirizzo IP da un server DHCP✓ottengono dal DHCP l'indirizzo di un TFTP server➡ io sono il server DHCP, ti indirizzo al mio TFTP✓scaricano il firmware dal TFTP server➡ io sono il TFTP e ti do il mio firmware/configurazione✓scaricano la configurazione dal TFTP server➡ io leggo la configurazione dal server TFTP✓si autenticano sul server VoIP➡ sniffo, o mi fingo il PBX e forzo auth plain text
7
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Attenzione
Il VoIP può essere più sicuro della telefonia tradizionale. Questo tuttavia si ottiene attraverso una corretta progettazione, implementazione e verifica, seguendo alcune best practice, sia dal
punto di vista tecnico che dal punto di vista della formazione.
8
Friday, 29 October, 2010
Alessio L.R. Pennasilico
VoIP
Segmentare la rete
Applicare filtri
IDS/Antivirus
QoS
Managed WiFi
9
Friday, 29 October, 2010
Challenges in a Web 2.0 Environment
Allow use of Social Networking… but protect it… and control who’s using it
Allow use of Streaming Video… but control its usage
At the same time … Restrict P2P Applications … Restrict File Sharing … Restrict Gaming … Prioritize VoIP
Copyright 2010 SonicWALL Inc. All Right Reserved.14
Friday, 29 October, 2010
Streaming Video
Copyright 2010 SonicWALL Inc. All Right Reserved.12
Recreational UseBusiness Use
Friday, 29 October, 2010
Application ChaosIT Controls Challenged
Unacceptable Apps Acceptable Apps
Identify, Manage and Control Application Chaos
CONFIDENTIAL All Rights Reserved11
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Rischi del Wireless
Perchè proprio io?
...Wardriving...
13
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Device
14
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Antenne
15
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Mezzi alternativi
16
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Molto alternativi...
17
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Personalizzazioni
18
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Coordinate GPS
19
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Cracca al Tesoro
Caccia al Tesoro “Geek”
www.wardriving.it
20
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Misure Inutili
Nascondere il nome della rete non serve
Filtrare i mac-address non serve
WEP da un falso senso di sicurezza
21
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Proteggere il WiFi
WPA2 a casa è una soluzione adatta
In azienda è possibile fare IPSec su WiFi oppure WPA2/Enterprise
22
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Proteggere le reti SCADA
Segmentare la rete
Applicare filtri
IDS
Antivirus
Encryption
23
Friday, 29 October, 2010
Application Intelligence & Control
Copyright 2010 SonicWALL Inc. All Right Reserved.16
Identify
Categorize
Control
By Application By User/GroupBy Content Inspection
By ApplicationBy Application CategoryBy DestinationBy ContentBy User/Group
PrioritizeManageBlock Prevent MalwarePrevent Intrusion Attempts
Next Generation Firewall Platform
Friday, 29 October, 2010
Example: Prioritize Application Bandwidth
GoalPrioritize mission critical applications, such as SAP, Salesforce.com and SharePoint.
Ensuring these applications have priority to get the network bandwidth they need to operate can improve business productivity.
Solution:App: SAP, Sharepoint, SFDC
Action: Bandwidth Prioritize
Schedule: Always
Users: AllApplication priority can be date based
(think end-of-quarter priority for sales applications)Copyright 2010 SonicWALL Inc. All Right Reserved.29
Friday, 29 October, 2010
Visualize - Attacks
Copyright 2010 SonicWALL Inc. All Right Reserved.24
Friday, 29 October, 2010
Visualize - Applications
Copyright 2010 SonicWALL Inc. All Right Reserved.23
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Minacce “esterne”
IDS
Antivirus
Antispam
28
Friday, 29 October, 2010
Identify – By Users
Copyright 2010 SonicWALL Inc. All Right Reserved.19
Friday, 29 October, 2010
Categorize
Copyright 2010 SonicWALL Inc. All Right Reserved.20
Friday, 29 October, 2010
Malware loves Social Networking Too
Set-up: Create bogus celebrity LinkedIn profiles Lure: Place link to celebrity “videos” in profile Attack: Download of “codec” required to view video Infect: Codec is actually Malware Result: System compromised
(Gregg Keizer, Computerworld Jan 7, 2009)
8 Copyright 2010 SonicWALL Inc. All Right Reserved.
Friday, 29 October, 2010
http
://w
ww
.ais
grou
p.it/
Conclusioni
Friday, 29 October, 2010
SonicWALL Application Control Appliances
Copyright 2010 SonicWALL Inc. All Right Reserved.
NSA E7500/8500
NSA E6500
NSA E5500
TZ 210 Series
NSA 3500
NSA 2400
NSA 240
NSA 4500
NSA 2400MX
31
Friday, 29 October, 2010
SonicWALL Next Generation Firewalls feature:
Multi-Function Security Integration Complete Threat Protection with Intrusion Prevention & Anti-Malware/
Virus/Spyware Content Control & URL Filtering Full “Enterprise” quality Integrated Anti-SPAM Protect whole infrastructures such as StoneWare Access
Application Visibility Integrated Application Firewall Policy control over Applications, Application use & File Types
Ultimate Connectivity “Clean VPN” Secure IPSec Site-to-Site VPN Connectivity, Clean
Wireless, Wireless Switch / Controller Exceptional User Policy Control and Access to Resources Integrated Wireless Switch offer “Clean Wireless”
Reliability, Optimization & Flexibility Highly Redundant Hardware – Power/Fans Business Application Prioritization & QoS Integrated Server Load Balancing Feature-set Flexible Deployments branch office, corporate & department network
Applications Award winning: Deployment & Management
Deep Packet Firewall
Clean VPN
Intrusion Prevention
Anti-Malware
Content Filtering
Bandwidth Management
Application Firewall
Full Anti-SPAM
Clean Wireless
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Prodotto sviluppato per
rispondere integralmente
alle esigenze del decreto
“amministratori di sistema”
35
Friday, 29 October, 2010
Alessio L.R. Pennasilico
VoIP
Web Interface di gestione
Interfaccia utente via web
Multisede
Integrazione di:
fax/sms/skype/device “esotici”
36
Friday, 29 October, 2010
Alessio L.R. Pennasilico
La sicurezza
Non è un prodotto
E’ un processo
37
Friday, 29 October, 2010
Alessio L.R. Pennasilico
Budget?
81% delle intrusioni avvengono su reti che non
sodisfano i requirement delle più diffuse
norme/best practice / guidelines
Gartner
38
Friday, 29 October, 2010
Alessio L.R. [email protected]
twitter: mayhemsppFaceBook: alessio.pennasilico
Phone/Fax +39 045 8271202Via Roveggia 43, VeronaVia Doria 3, Milanohttp://www.aisgroup.it/[email protected]
Cristiano [email protected]
BDM & SE Italia e Grecia
Grazie!T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)
Friday, 29 October, 2010