IPS-1技术培训.ppt

单击此处编辑母版标题样式,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,*,2003-2007 Check Point Software Technologies Ltd.All rights reserved.Proprietary and confidential.,Check Point IPS-1,Agenda,Network Security Challenges,IPS-1 Product Line Overview,Introducing IPS-1,Accurate&Granular Attack Prevention,Aware,Adaptive&Actionable Security,Advanced Forensics&Reporting,Intuitive Centralized Management,Summary,Velocity of change driving new security requirements,Operating System Patches,Network Environment Changes,New Vulnerabilities,Network&Application Attacks,Exposure,Exposure,Exposure,Exposure,Asset Classification&Prioritization,Network Awareness,Dynamic Vulnerability,“,Shielding,”,Active Detection&Prevention,Advanced Forensics,Environmental Change,New Security Requirements,Multiple threat vectors,Worms,Trojans,Evasions,Scans,Spyware,Hybrid Attacks,Mobile Devices,Worms,Trojans,Data Theft,Backdoors,Revenge,Network Changes,Critical Vulnerabilities,Policy Violations,Compliance,More successful attacks,False positives,Policy enforcement,Granular monitoring and reporting,Overburdened Staff,Complexity,Security Issues,Attacks,Insider Threats,Passive Threats,What is needed:Aware,Adaptive and Actionable Intrusion Prevention,Attacks,Insider Threats,Passive Threats,Vector,Detection&Prevention Requirements,DEFEND the Perimeter,Multiple detection techniques,Accurate detection,Granular policy enforcement,PROTECT the Interior,Customized detection methods,Active quarantine,Dynamic worm mitigation,SHIELD&Control,Dynamically shield vulnerabilities,Awareness&control,Granular forensics&reporting,IPS Market,Oppurunity,IDC:Annual Security Survey,Dedicated vs.Integrated IPS Market Size,2007 IPS Markets,Dedicated IPS-$1.2 Billion,Integrated IPS-$400 Million,Growth Markets,Check Point positioned in both segments,CheckPoint,IPS-1,*,Robust and accurate intrusion prevention,Accurate&Granular Attack Prevention,Aware,Adaptive&Actionable Security,Advanced Forensics Analysis&Reporting,Intuitive Centralized Management,IDS/IPS Maturity Model,Maturity,Time,Blissful Ignorance,Awareness Phase,Preventive Phase,Operations Excellence Phase,IDS,VA,IPS,VA,Check Point IPS-1,Firewalls,Agenda,Network Security Challenges,IPS-1 Product Overview,Introducing IPS-1,Accurate&Granular Attack Prevention,Aware,Adaptive&Actionable Security,Advanced Forensics&Reporting,Intuitive Centralized Management,Summary,IPS-1 Architecture,3,rd,Party Integration,HP,OpenView,Arcsite,Intellitactics,Netforensics,Nessus,More,IPS-1 Management Dashboard,Centralized Management,Real Time Views,Advanced Forensics,Reporting and Compliance,IPS-1 Management Server,Optimized Data Store,Multi-Element Correlation,Dynamic Shielding,IPS-1 Sensor,Hybrid Detection Engine,Confidence Indexing,Open signature language,Multi-mode prevention appliance,with Failover,IPS-1 Product Line,Remote offices,Branch office&Mid size businesses,Enterprise&,Data Centers,Price,Performance,$16,000,$7,000,$28,000,4 Gbps,500 Mbps,100 Mbps,IPS-1 Sensor 50 and 200,IPS-1 Sensor 500,$110,000,IPS-1 Power Sensor 1000 and 2000,$75,000,IPS-1 Models,IPS-1 Sensor 50,IPS-1 Sensor 200,IPS-1 Sensor 500,IPS-1 Power Sensor 1000,IPS-1 Power Sensor 2000,Network location,Remote office/network perimeter,Remote office/network perimeter,Network perimeter(multi-segment),Network core(multi-segment),Network core(multi-segment),Throughput(IPS/IDS),50/75 Mbps,200/250 Mbps,500Mbps/,1Gbps,1/2Gbps,2/4Gbps,Concurrent sessions,100,000,200,000,500,000,1.2 million,2.8 million,Monitoring interfaces,2 x 10/100/1000 Mbps copper,2 x 10/100/1000 Mbps copper or 2 x 1000 Mbps fiber,4 x 10/100/1000 Mbps copper or 4 x 1000 Mbps fiber,8 x 10/100/1000 Mbps copper or 8 x 1000 Mbps fiber,8 x 10/100/1000 Mbps copper or 8 x 1000 Mbps fiber,Agenda,Network Security Challenges,IPS-1 Product Overview,Introducing IPS-1,Accurate&Granular Attack Prevention,Aware,Adaptive&Actionable Security,Advanced Forensics&Reporting,Intuitive Centralized Management,Summary,Mission Critical Protection IPS-1 Hybrid Engine,Hybrid Detection Engine,Vulnerability signatures,Exploit signatures,Anomaly detection,Protocol analysis,Application awareness,IP reassembly,OS fingerprinting,Application fingerprinting,Multi-element correlation,Dynamic worm mitigation,N-Code,Signature Language,Powerful and flexible signature language extends detection capabilities,“0-day”Attack Prevention for 30+Applications Layer Protocols,Protocol Analysis Introducing,Network Layer&Transport Layer protocol analysis,网络和传输层的协议分析技术,Application Layer pre-processing analysis,应用层预处理技术,Application Layer protocol analysis,应用层协议分析技术,Protocol,mis,-use,协议误用,Protocol abnormal,static&dyamic,abnormal,协议异常,静态,&,动态异常,State-based application layer protocol analysis,基于状态的应用层协议分析技术,Pattern matching,vs,Protocol Analysis,PM-,O(n,),PA-,O(logn,),The searching path of Protocol Analysis,Algorithm Complexity,An Example of Protocol Analysis Inspection,An old version,Sendmail,Buffer Overflow vulnerability,$telnet 25,WIZ,shell,or,DEBUG,#,Then you can gain the,rootshell,！,Traditional Pattern Matching Inspection,Inspect every packet,if it contains,：,“,WIZ”,|“DEBUG”,Step1,Inspect the port number,Minimize the inspection scope,Port 25:,“WIZ”,|“DEBUG”,Step 2,If the packet send by client side,（查看数据包是否由,client,端发送）,Port 25:,Client-sends:“WIZ”|,Client-sends:“DEBUG”,Step 3,Stateful,Inspection+Abnormal Detection,(,状态检测异常分支判断）,Port 25:,stateful,client-sends:“WIZ”|,stateful,client-sends:“DEBUG”,after,stateful,“DATA”client-sends line 1024 bytes means possible buffer overflow,Application Layer,Stateful,Inspection Introducing,(Context Based Inspection),Transport Layer state track(,传输层状态跟踪,),Unidirection,Bidirection,Session,+Sequence number,Application Layer state track,（应用层状态跟踪）,Data/Command,Sequence,Finite state machine,An example of Finite state machine,An Example of context based,inpsection,Record a state of the connection,，,context based inspection,Attack String 1,helo,test,mail from:test,rcpt to:test,vrfy,decode,data,hello test,.,quit,Attack String 2,helo,test,mail from:test,rcpt to:test,data,hello test,vrfy,decode,.,quit,OS,fingerPrint,and Application fingerprint,Example of OS fingerprint,x86 based overflow attack will not effect SPARC platform,Aware,Adaptive&Actionable Security Dynamic Shielding,Architecutre,Dynamic Shielding Architecture,Network Flows,Network Changes,Endpoint Profiling,Vulnerability Information,Adaptive Updates,Active Quarantine,Smart Policy Compliance,Context Detection,Manage and proactively protect against vulnerabilities in the network,Vulnerability Browser,enables vulnerability scanning,viewing and management,Take action to prevent discovered vulnerabilities from being exploited,Result,:ensures your network is adequately protected,IPS-1 provides recommendations on actions to be taken,to secure the network,Nessus,Introducing,The,Nessus,project Started by,Renaud,Deraison,in 1998;,Support by Tenable Network Security,Since 2002;,The most popular VUL scanner,Nessus,scanner is used by 75,000 organizations world-wide;,UNIX based,now windows based version is available(3.0.5),License free,no IP limitation.(Update 7 days later than“direct feed support”,which is$1200 per year),Advanced Forensics&Reporting Confidence Indexing&Alert correlation,Quickly dissect attack data,Monitor in real time attack and prevention activity,Pinpoint attacks by grouping and drilling down on events and alerts,Create informative reports from either ad hoc or pre-defined reports,Easy,in-depth monitoring of alerts,Alert Browser,brings all alert information into a single dashboard for viewing and prioritization,Numerous built-in alert groups or create new groups to suit your forensic needs,Result,:Faster analysis and more efficient use of administrator resources,Confidence Indexing,Realtime,Alert Correlation,Simplicity for small deployments,Central,scalable management,yet scalable for large enterprises,Graphics,automation and Wizard-driven features saves your network security staff time and effort,IPS-1 Protection Engine,(Linux,Solaris),IPS-1 Enterprise Server,(Linux,Solaris),Enterprise Deployment,Smart Sensor 100,(Appliance),Centralized Management,Client,(Windows,Linux,Solaris),Internet,Mgmt,Net,Sales&,Accounting,IT&,Engineering,Power Sensor 1000,(Appliance),Basic Deployment,D.C.,Seattle,.,San Jose,Dallas,New York,.,Eastern Regional,Server,(Linux,Solaris),Western Regional,Server,(Linux,Solaris),Real-Time Visibility,Mangement,Reports,Detailed Knowledge,The IPS-1 Advantage,High Performance Protection,Data rate ranges from 50Mbps to 4Gbps.IPS-1 Power Sensors offer port density,high availability features and plug-in data rate expandability,guaranteeing data rate expansion without forklift upgrades.,IPv6 Support,IPv6 is a critical requirement in the U.S.Federal government and Europe and IPS-1 offers full IPv6 support.,Open Signature Language,IPS-1 signatures and signature language called N-Code,is open allowing customers to modify existing signatures or write their own signatures.,SmartDefense Research Center,Dedicated team of seasoned security research experts who monitor the Internet for new exploits and vulnerabilities on a continuous basis and provide rapid solutions.,Summary:Accurate&Granular Attack Prevention,Mission Critical Protection,In-line,Application Layer Intrusion Prevention System,“0-day”Attack Prevention for 30+Application Layer Protocols,Superior accuracy,resistance to IDS/IPS evasion,The Hybrid Detection Engine:,Right-fit solutions for your price/performance needs,-,Verdict:Network Sanitization&Worm Defense,Active Dynamic Network Protection,Critical component of Check Points long-term IPS vision,Automatically import,correlate,and adapt to vulnerability data,The most accurate reports possible on breaches and changes,Check Point IPS-1 SmartDefense Services,Security Response Team,(SRT),:consistently faster than the competition,Every IPS-1 customer,owns,SRTs,extensive knowledge base,Summary:Central Management,Installation in Minutes,NOT Hours or Days,“Lights-out”IPS-1 Smart Sensor appliances can be drop-shipped,Extensive security expertise is,not,required,Intuitive,Powerful Interface,Easily Accessible Forensics,User-customizable Views,&Correlation,Management Reports,Coming soon:Eventia Integration,Centralized Management for the Whole Enterprise,Coming soon:SmartCenter and P-1 integration,“Check Point IPS-1 has one of the better interfaces.”,Greg Young,Gartner Group,Summary:Peace of Mind and ROI,Security AND Availability,All the Time,Fail Pass-through mode,Configurable Latency Tolerance(typically 1ms),“Learning Mode”,The Most Configurable,Adaptive IPS in Existence,Check Point IPS-1 Sensors:,Never had a vulnerability,AES-128 encryption throughout,ROI,Reduce Annual Loss Expectancy(ALE),Comply With,Raegulations,(SOX,HIPAA,etc.),Appliance model saves administration costs,Question?Thank You!,如果您需要了解更多信息，请访问我们的公司网站,:,及,