I say the data center. Of course I subscribe to the notion of defense-in-depth, but if there is one place security should never be neglected, it’s where all your important servers and data reside.

In principle, data center security is pretty straightforward. It’s ensuring secure application access by authorized users to approved applications. You have to do that while preventing threats and complying with regulatory requirements. Of course, you must also ensure that you do not impact performance or productivity; more on that later. I want to go back to the secure application enablement challenge.

Ensuring secure application access by authorized users to approved applications should be simple right? After all, you know what applications are running in your data center, and you know who your users are. Well, in theory you do, but your enterprise is probably made up of geeky application developers who are not only supporting off-the-shelf enterprise applications, but also developing home-grown custom apps that are using a variety of different ports. You’re either opening every port on your legacy firewall, or incurring the wrath of your app developers by taking too long to enable the right policy on the right firewall, the right VLAN, the right access.

How many data center legacy firewall ACLs are modified every day just to keep up with application adds, moves and changes? How long does it typically take to enable an application? And what about the “user” aspect of secure application enablement. Remember the X-Files mantra, “Trust No One”?

Forrester Research’s Zero Trust Model advocates that we apply it to networks today. Not “Trust but verify”, but “Do not trust, always verify”. This means you need to identify users or groups of users accessing applications. Based on the usage of the applications, you also need to segment parts of the data center to reduce the scope of vulnerability (i.e. the development apps should be separate from the production apps; the PCI servers should be segmented from the rest of the network and accessible only to the finance users).

Let’s add more complexities to the DC security problem. As I indicated earlier, the first mission of the data

center is to serve applications.  Any network security infrastructure that interferes with this primary mission cannot be placed in the data center. Network security infrastructure should be flexible enough to accommodate high-performance AND security.  It should also be flexible enough to accommodate changes in the nature of network security controls or policy (for example, adding content scanning or threat prevention), without having to add more devices, or re-design the network. It should be

flexible enough to integrate with the networking infrastructure, no matter what types of design (traditional data centers, next-generation Ethernet fabric designs, virtualized data center).

Phew, so what have we got now? A long long list of data center security requirements. How do we address this at Palo Alto Networks? I invite you to attend one of our worldwide Data Center Summits. We are kicking off this multi-city tour in Dallas, Texas on Feb 21^st.

We have an excellent agenda planned. This data center tour is an all-day exploration of data center security designs and considerations with Forrester Research (for North America venues) and IDC (for Europe and Asia venues), and our data center partner Brocade. We’ll provide details of how we align with Forrester’s Zero Trust Model and

deliver data center security with no compromises. Additionally, we will show how Palo Alto Networks’ next-generation firewalls integrate into next-generation data centers powered by Brocade VCS Fabric Technology. This promises to be an interesting seminar. Don’t forget to register soon, spots are filling up. I hope to see you there!

However, the finding that was most interesting and somewhat surprising to me as a network security professional was the volume of applications that never traverse port 80. We found that 35% of the 1,195 applications never use port 80 and yet consumed 51% of the total bandwidth. These are all your business applications such as Oracle and SAP. The reason for my surprise is the plain and simple fact that I had been lured into the “focus your security on port 80” trap by the current IT trends: cloud computing, social media, software as a service, and so on. View these and other key findings below.

The “apps not using port 80” finding confirms my view that too much focus on port 80 security is shortsighted and high risk. It is analogous to locking the front door without locking the side and back doors. Do you need to secure port 80? Absolutely! But more importantly, you need to control and protect all applications across all ports, all the time as a means of enhancing the business. This is what I call secure application enablement, or put differently, the rule of “allow but…”

• Allow SharePoint but control application functions
• Allow Oracle but protect against SQL attacks
• Allow Facebook for all, but limit posting to specific groups
• Allow Twitter but limit access by schedule
• Allow Streaming media but apply QoS
• Block all P2P applications

Secure application enablement will allow you to strike the balance of allowing social media but within usage and security parameters that are appropriate for your organization. Secure application enablement will help you encourage the use of business-focused browser-based filesharing applications, but block media-focused variants. And secure application enablement will allow you to restrict the use of remote access tools to only your IT and support staff – all of which traverse ports other than port 80.

The time of shortsighted application prevention systems (also known as traditional stateful inspection firewalls) is over.  The firewall needs to safely enable applications—and business.

What was the one defining similarity among employees’ use of applications in the workplace across the 19 different countries/regions we analyzed? A love for social networking applications.

Our data underscores how active employees are on social networks and that it’s not all about Facebook—the iconic social network dominates the North American and European markets, but not so throughout Asia and Japan.

Major markets such as Japan, Australia, Korea and – not surprisingly – China have more usage of other social networking apps in the enterprise than Facebook:

• Japan: Twitter usage represented 85% of all social networking traffic.
• Australia and New Zealand: micro-blogging site Tumblr was used more heavily than any other social networking application.
• Korea: Daum and Cyworld both are used more heavily in Korea than anywhere else.
• China: Usage of local favorites such as RenRen, Sina and Kaixin clearly dominate this category, leaving only 1% of social networking traffic to Facebook.

Data-Driven Analysis of Social Networks in the Enterprise in 2011 (Video)

• Read the Country Specific Findings

What else did we learn about usage of social networking when looking through our regional lens?

• France: Social networking games and plug-ins are used 50% more heavily than the global average.
• UK: Our data showed a surprisingly low usage of Twitter in the workplace relative to all other social networking activity, almost half the global average.
• Nordics: Vkontakte—originally a Russian only site, but now in 67 languages—consumed 20% of social networking traffic. We also saw Vkontakte usage is many German organizations.
• Benelux: Hyves holds its own in its regional market—representing 14% of social networking traffic.

There are many other application-usage trends that we could examine at a country-specific level. But social networking applications use has and will remain a major theme in our research because of its undeniable impact on our personal and work life. Organizations worldwide are at one stage or another in figuring out how to harness the benefits of social networking for their business. A natural step in the process is developing policies for securely enabling employees to use social networking applications.

Test Your Knowledge

If you think you have a good sense of application trends in your country, we encourage you to take one of our “five facts” tests below:

• Australia and New Zealand
• Benelux region
• Canada
• China
• DACH (Germany, Austria and Switzerland)
• France
• Hong Kong
• Korea
• Italy
• Middle East (Jordan, Kuwait, Oman, Qatar, Saudi Arabia, UAE)
• Nordics (Denmark, Finland, Norway, Sweden)
• Rest of ASEAN (Malaysia, Indonesia, Philippines, Vietnam)
• Singapore
• Spain
• Taiwan
• Thailand
• UK
• USA

These definitions are based on how the applications work, how they market themselves, the files that can be found as a registered user or through search engines and the volume of use we see. For example, YouSendit! is a great tool for delivering a large file to my remote teammates. A couple clicks and the files are there. Options exist to store the files in the cloud for future use. Our graphics department uses Dropbox for similar purposes. Files can be synched via a desktop folder or they can be transferred using the web-only option. The features these applications have (or may not have), their marketing messages, and from our research, the volume of use all support the work related use case. Could there be some personal use in there, sure. But not nearly on the same scale as the other set of entertainment focused applications.

Now let’s take a look at a couple entertainment oriented applications. First off, this set of applications consume twice as much traffic (used by employees) on corporate networks than do DropBox, Box.net and YouSendIt combined. In each of these examples, the features they offer users, registered or not, are entertainment oriented. A registered MegaUpload user will see a top 20 list of game demos, software and movie trailers in its top 20 listing. A visit to Filestube, registered or not, quickly highlights that they are very media and entertainment focused. It is hard for me to find a task that this set of applications will help me accomplish at work. At home, that may be a different matter.

Scientific analysis? Nope. Foolproof? No such thing. But that is not the purpose of the discussion. The purpose of the discussion is to highlight the fact that:

• These applications are in use on corporate networks – for both business and pleasure.
• Many of them traverse port 80 or port 443, making them invisible to common firewalls. Some of them have the ability to be configured to use other ports, making them even more invisible to traditional control mechanisms.
• Most importantly, they represent both business and security risks which that must be addressed.

With 65 different variants, and an average of 13 found on 1,506 out of 1,636 networks (92%) this set of applications is here to stay and organizations must apply appropriate policies to protect their network as well as their users.

Learn more here:

• Infographic: Summary of findings
• Slide show of key findings: Application Usage and Risk Report, December 2011
• The report: Application Usage and Risk Report, December 2011

• Get the report: Application Usage and Risk Report, December 2011
• Slide show of key findings: Application Usage and Risk Report, December 2011
• Check out the 2011 year in review video: The Year of Me

In October 2010, social networking was (and in some cases, still is) the poster-child for bad applications. It was viewed as a huge productivity and bandwidth sinkhole; a position we proved to be false in October 2010 with the bulk of the bandwidth consumed to be browsing. At that time, examples of corporate use of social networking were hard to find. Fast forward to December 2011 and examples from large, well known organizations such as Ford Motors, Caterpillar, and Nike are relatively easy to find. Is there some personal use mixed in with the corporate use? Absolutely. No one I know works 100% of the time while at work. In this case, organizations are figuring out the right balance between blocking and allowing these applications on the network. Something we call secure or safe application enablement.

The staggering 700% increase in Twitter usage can also be attributed to both corporate and personal use. Corporations have figure out that Twitter is a great way to keep in touch with their users, customers, and fans. We need look no further than our own Palo Alto Networks followers whom we can communicate with regularly.

Another reason is that Twitter has become a powerful tool that enables organizations, grass-roots or otherwise, to deliver their message to the masses quickly, effectively and repeatedly. There were examples where Twitter and other social media applications significantly influenced the volume of news about, and visibility of, a particular world-news event. Unrest in the Middle East, economic turmoil and associated demonstrations in Europe, disasters in Asia Pacific and the Occupy movement in the U.S. all experienced significant activity on social media applications.

Without question, social networking applications present organizations with ways in which they can reach new customers, build loyalty with existing customers and increase their business. But the pursuit of these rewards introduce business and security risks that must be considered and addressed.

Thanks for reading.

Time wasting, productivity killing, bandwidth hogging apps! Block ‘em all. Make me work! Surveys abound saying that 50% or more of companies block social networking – yet actual data shows that an AVERAGE of 16 social networking applications are running on 97% of the organizations analyzed. I am no statistician (or politician), but a 40% or more difference is not a small margin of error.

How am I using social media?  In some cases, my use is voyeuristic – I am watching my “wall” or “timeline” to keep up-to-date as needed with my friends and family while doing my job. Just like the “old” days when instant messaging was “hot”.  Or should I say still is hot, since an average of 10 webmail apps and 11 IM apps are still found on more than 95% of the companies analyzed.  That tells me that they are both healthy and thriving despite the social network juggernaut. Social media use is also embraced by the company as we figure out new and exciting ways to reach our current or new clients and partners. Or it is driving social change. Never before have so many world events garnered so much worldwide attention – social media is a huge part of that.

The year of me increased my circle of friends. But it also increased my potential enemies. 800 million people sharing too many unknown photos, links, and documents immediately raises privacy concerns. Rightfully so, the response has been to encrypt it. A better response would be to think first; should I click? Should I post this? Should I say this? But bad habits change slowly. And the cyber creeps know this. They know too that the common communications mechanisms are watched closely. So they use other, non-standard ports and protocols to execute their malicious tasks.

Yes, 2011 is the year of me. My applications. My malware. My pictures. My data. It was indeed an exciting year. What will 2012 hold?

Thanks for reading.

Rene’

Comparing the frequency of use and the percentage of file sharing (browser-/cloud-based) bandwidth consumed, we see that Dropbox crushes iCloud globally as well as across different geographic regions. To be fair, the iCloud App-ID was added in late October 2011, so the comparison, while valid, does not take into account newness of the application vs. the more established Dropbox offering. A more fair comparison will be to look at the usage and the bandwidth in October of 2012.

Comparing iCloud and Dropbox across different geographic regions.

The other interesting datapoint to look at is the manner in which Dropbox has differentiated itself in what an be considered a very crowded market. Since 2008, the number of browser-based filesharing applications has more than tripled, growing from 22 to 71 now identified in Applipedia. The growth is attributed to two factors; the first being the new applications being released to the market and the second is new App-IDs being added to the database. Regardless of the reasons for the growth, this is a crowded market segment.

Between April 2011 and November 2011, 65 different browser-based (or cloud-based) filesharing applications were found. On average, 13 variants were found across 1,506 (92%) organizations. For some perspective on the number of application variants found, an average of 13 variants per organization is considered to be high; only two other application categories. photo-video (29 variants) and social networking (16 variants) had more application variants.

Browser-based/Cloud-based filesharing comparison - frequency of use and bandwidth consumed.

Based on the upcoming Application Usage and Risk Report, Dropbox is the most commonly used application in its category and it is the 2^nd most heavily used, based on the percentage of bandwidth it consumes. Cleary Dropbox is doing something right in terms of differentiating itself from others. From what I can see, it is easy to use, it is reliable, and is relatively secure. Again, some similarities between Dropbox and Palo Alto Networks exist – both companies solve a particular challenge and do so in a differentiated manner, in crowded and competitive markets.

See you in 2012.

In response to this disclosure, Palo Alto Networks has released an emergency content update (version 281, released 12/7/11) that provides detection of attempted exploitation of the vulnerability described in this security bulletin.  The following signatures have been added: Signature 34562 (“Adobe Reader U3D Memory Corruption Vulnerability”) and 34563 (“Adobe Reader U3D Memory Corruption Vulnerability”).

Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices.  If you have any questions about coverage for this advisory, please contact support.

1. Achieving the same application visibility and control for users in branch offices and on the road. The PA-200 brings the full suite of next-generation firewall functionality to the enterprise branch office. The improvements to GlobalProtect (OS X and iOS support) extends the logical perimeter to a wider array of remote and mobile user
2. Defending themselves against “modern” malware – i.e., targeted, unique, and network-centric malware that isn’t caught by the existing set of technologies in the enterprise today. WildFire is a new capability that combines three really good ideas: the next-generation firewall, a sandbox analysis, and cloud-based scalability.

Our announcement was well received. Over the course of the launch, I spoke with a number of analysts and press, and a few key questions stuck out:

1. What makes something (e.g., a firewall, an IPS) “next-generation?”
2. Somewhat related: how is a branch office NGFW different than branch office UTM
3. How is this better than some of the existing sandbox technology out there?

When talking to Neil MacDonald, who has been a champion of bringing context to network security (e.g., bringing application and user into firewall policy decisions), he brought up the fact that the ability to bring CONTEXT into the firewall policy (i.e., not port 80 allow, but Skype or SharePoint allow) is what makes it next-generation. Similarly the IPS – if the IPS cannot incorporate context (an element of which is application), in its analysis of traffic, it’s not next-generation.

Somewhat related to that, I had a few reporters ask how this was different that a UTM box in the branch office, and the same applies – if the “allow” decision is made based on port, and then any application analysis is subsequent, it’s a UTM. UTM typically has cost savings as its primary design. NGFWs, per the comment above, focus on bringing context into that same decision.

Sandboxes have been around for a long time. Remember Finjan? The difficulty is deploying them in the network. More specifically, collection and enforcement tend to be challenges. First, it has to see all of the traffic/all ports. Second, it has to be able to decode all of the application protocols. Third, in order to do any enforcement, it has to be in line. TCP resets are not an enforcement mechanism, to quote a friend of mine. In-line sandboxes = latency. The NGFW, on the other hand, is in-line and sees all traffic, has application protocol decoders, and does enforcement – all at line speed with low latency. Combine that with the ability to send unknown executable content up to a cloud based sandbox and you have an enterprise-deployable capability. Which is in sharp contrast to previously conceived sandbox technology.

More on WildFire here.

]]> http://www.paloaltonetworks.com/researchcenter/2011/11/pa-200-launch/feed/ 0 http://www.paloaltonetworks.com/researchcenter/2011/11/pa-200-launch/ http://feedproxy.google.com/~r/PaloAltoNetworks/~3/qG325OLvTNA/ http://www.paloaltonetworks.com/researchcenter/2011/11/coverage-information-for-microsoft-security-advisory-2639658/#comments Wed, 09 Nov 2011 19:47:23 +0000 Taylor Ettema http://www.paloaltonetworks.com/researchcenter/?p=1812 Summary

Microsoft has published a Security Advisory (“Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege”, CVE-2011-3402) regarding a vulnerability in Microsoft Windows operating systems that can allow an attacker to craft a malicious TrueType font that can result in the execution of arbitrary code in kernel mode.

Complete information from Microsoft is available at http://technet.microsoft.com/en-us/security/advisory/2639658.

Coverage Information

Palo Alto Networks content update version 275 (released 11/8/11) provides signature-based detection of attempted exploitation of the vulnerability described in this Microsoft Security Advisory.

The following signatures have been added to detect exploitation of this vulnerability:

Severity	ID	Name	CVE	Default action
critical	34517	Microsoft TrueType Font Rendering Memory Corruption Vulnerability	CVE-2011-3402	alert
critical	34518	Microsoft TrueType Font Rendering Memory Corruption Vulnerability	CVE-2011-3402	alert

Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices.  If you have any questions about coverage for this advisory, please contact support.

Revision History

11/9/11 – Advisory posted

]]> http://www.paloaltonetworks.com/researchcenter/2011/11/coverage-information-for-microsoft-security-advisory-2639658/feed/ 0 http://www.paloaltonetworks.com/researchcenter/2011/11/coverage-information-for-microsoft-security-advisory-2639658/