AhnLab TrusGuard UTM 표준제안서 2010.11
Agenda 요약 : 제품소개, 설치시네트워크구성도, 차별성 - 네트워크환경및 UTM Concept - AhnLab TrusGuard UTM - AhnLab TrusGuard UTM 기능, Log Server, UI - Service Structure - AhnLab TrusGuard UTM 사양 2
제품소개 TrusGuard UTM은, 다음과같은기능들로구성된통합보안장비 (Unified Threat Management) 입니다. 1 네트워크공격의차단을위한 Firewall / IPS 2 바이러스, 웜, 스팸메일등의유해콘텐츠차단을 multi-layer에서막기위한 Proxy 3 DDoS 공격대응엔진 4 신뢰할수없는구간으로부터의안전한연결을위한 SSL-VPN 등 3
설치시네트워크구성도 KT DACOM 하나로 CDN Service AST Server 하나로 2 센터 ASEC Internet (ISP) SSL-VPN End-Point Security Mobile Offices V3 IS AhnLab Mobile Security Enterprise Network Core Network Medium Network Branch V3 Net DMZ 서버팜 Absolute Firewall/IPS NP 8000 Absolute A1000 I n t e r n e t TrusGuard UTM 1000 V3 Net V3 IS Access & Client Network TrusGuard UTM 400 TrusGuard UTM 100 TrusGuard SCM Small Network Branch Small Network Branch TrusGuard UTM 400 V3 IS V3 IS AhnLab Mobile Security V3 IS AhnLab Mobile Security 4
AhnLab TrusGuard UTM 의강점 복합공격에대비한통합보안 Framework F/W, IPS, Anti-Virus, Anti-Spam, VPN 네트워크보안과보안콘텐츠가결합된강력한보안제공 최신의보안위협에대한실시간대응서비스 AV Engine, Worm/Spyware Signature, Anti-Spam, URL DB, DDoS 공격에대한강력한대응 End-Point Security 와결합된 SSL VPN 지원 5
네트워크환경및 UTM Concept 6
UTM 탄생배경 : 최근위협의동향 형태 (Behavior) 혼합형위협 (Blended Threats) 다중계층 (Multi-layered) 공격 네트워크 -PC 의복합공격 Unified Threat Management 흐름 (Flow) 게이트웨이, 엔드포인트, 호스트 Inbound/Outbound 위협흐름 다양한위협전송방법 지능적인보안플랫폼 특성 (Characteristics 끊임없이생성되는위협컨텐츠 운용형태별위협의우선순위의차이 불필요한트래픽발생 보안컨텐츠서비스 7
UTM 탄생배경 : TCO 절감필요성대두 스팸메일 바이러스 웹해킹 스파이웨어 웜 트로이목마 DoS/ DDoS SQL Injection Point Solution 서비스수준이다른다수벤더의별도장비 다양한보안솔루션의도입에따른, 도입비용과다단위솔루션의양적증가로인한관리이슈다수벤더의장비운영에따른기술지원이슈각각의보안솔루션운용방법을익히기위한시간비용운용을위한물리적공간과인력확보문제등 8
UTM 정의 Unified Threats Management 종합적게이트웨이보안플랫폼 24x365 위협대응서비스 Network Platform Firewall VPN IPS Application proxies HA DDoS protection Security Contents Virus Worms 스파이웨어 Attacks Spam URLs 신뢰성 사용편의성가격대비성능가용성통합관리 9
UTM 구현의접근방법 Firewall DPI 처리기술 Contents 결합 Firewall 기술 Applications 보안 IPS 네트워크보안기술 하드웨어장비 UTM AV Seamless Integration 컨텐츠관리및서비스 Multi-Layer 차단 10
AhnLab TrusGuard UTM 11
AhnLab TrusGuard UTM 의차별성 (1/4) UTM 을목적으로설계, 최적구현 방화벽, IPS 장비에모듈 1~2 개를추가한통합장비와는달리, 최초기획 / 설계부터개발까지철저히 UTM 을위한장비로구현 User Interface Monitoring Log Manager User Space Application Proxy (General,HTTP,SMTP,POP3,FTP,Oracle) SSL VPN Uncontrolled, Unclean Flows Kernel Space Firewall (Firewall, NAT) Network DDoS Protection IPS (Signature, Behavior) QoS ANOS(AhnLab Network OS) Controlled, Clean Flows Event/Log VPN Tunnel UTM 로그서버 Host PC 12
AhnLab TrusGuard UTM 의차별성 (2/4) 1 수호신 Absolute 등으로 3,000 여개고객에게검증되고, 10년이상축적된 Network Security Technology 위에 2 안철수연구소가 20년이상 V3 개발을통해축적한 Security Contents와 3 전문대응조직 (ASEC*) 에의한 24 365 모니터링및실시간긴급업데이트서비스가화학적으로결합 안정적인네트워크환경과높은정확성, 실시간보호를보장합니다. AhnLab TrusGuard UTM Architecture 2 Virus signature Worm/spyware signature Contents DB 유해콘텐츠대응 Application Proxy IPS Security Contents SSL VPN SSL End-point Security VPN 위협분석 / 대응 <ASEC> Security Contents 3 IPS Signature 네트워크공격대응 Firewall IPS QoS DDoS 공격대응 DDoS Detectior/Protector 1 Log Manager Network Framework Kernel Framework 로그서버 * AhnLab Security E-Response Center 13
AhnLab TrusGuard UTM 의차별성 (3/4) DDoS 대응 : 불특정 IP 주소에서특정서버로의다량의접속시도시분산도를기반으로탐지 1 단계 ( 전처리 ) : 공격대상서버로유입되는비정상패킷차단 2 단계 ( 가용성보장 ) : DDoS 공격의심시가상의대리응답을통한공격대상서버보호 : 정상트래픽과비정상트래픽을정교하게판별 3 단계 ( 대역별차단 ) : DDoS 공격으로판단된 IP 대역별로차별화접속정책적용 4 단계 ( 네트워크보호 ) : 공격대상이된서버로유입되는트래픽양제한 Session Cache Virtual Response Engine DDoS Detection Engine Spoofing Detection Response Engine DDoS Verify Engine DDoS Classifier DDoS Adaptor DDoS Limit Engine DDoS Rate Limit 14
AhnLab TrusGuard UTM 의차별성 (4/4) Collaboration with End-Point Security 검증되지않은 PC 에대해안철수연구소의 MyKeyDefense/MyFirewallTM 솔루션을연동하여완벽한보안영역을실현합니다 위협의진원지가되는감염시스템을발견하여적절한차단, Quarantine 정책을수행 Web 서버 TCP 서버 TrusGuard UTM VPN Tunnel Internet https://utm(id/pwd) UDP 서버 MyFirewall Check MyKeyDefense Check MyFirewall Install MyKeyDefense Install DNS 서버 WINS 서버 본사네트워크 SSL VPN Client Install NDIS Driver Install SSL VPN Login VPN 암호화통신 VPN Session Time Monitoring Client Uninstall Cache, Cookie File 삭제 재택 /Mobile 15
AhnLab TrusGuard UTM 기능, Log Server, UI 16
주요기능 (1/3) Firewall DPI(Deep Packet Inspection) 방식의 Stateful Packet Inspection 정책및세션수에독립적인성능보장 Route & Transparent Mode 지원 Dynamic & Multicast Routing Protocol 지원 Object 기반의직관적설정과편리한관리기능 Schedule 기반의정책설정 가용성보장 : Active-Active HA, 스위치없는 Full-Mesh 지원 Intrusion Prevention Signature-based Intrusion prevention Behavior-based intrusion prevention - 통계적인기법의 threshold 및위상변위검사 - Anti-Scanning, Anomaly detection, 행동기반사용자정의룰제공 3단계악성코드탐지 - Unknown Worm Protection ( 웜예측차단 ) - Outbreak Prevention ( 웜초기확산방지 ) - Known Worm Protection ( 알려진웜차단 ) 17
주요기능 (2/3) Security Contents 대응위협 : Virus, Worm, Spyware, Adware, Spam, Phishing, Malicious Site ASEC에서각종위협을 24시간모니터링및분석 CDN을통한 24 365 실시간업데이트 지원프로토콜 : SMTP, HTTP, POP3, FTP 부하분산기법을이용한성능최적화 감염시스템탐지를통한 Quarantine DDoS Protection 특정공격자에의한 DoS 공격탐지 / 대응 Traffic의양 / 분포 / 시간을기반으로공격탐지 사회공학적인공격, IP Spoofing 기법을이용한 DDoS 공격대응 - 가상응답을통한 DDoS 공격초기대응 - 공격자분포분석을통한비정상트래픽판별 - 공격트래픽제어를통한정상서비스보장 18
주요기능 (3/3) SSL VPN Gateway to Client 방식으로동작 IPSec VPN Client level 서비스 End-point Security 기능강화 - 초기접속시키보드스트로크감지및방화벽기능 - 사용완료시 HTTP Cache 및쿠키정보삭제 Traffic Management (QoS) 전체트래픽및 IP, Port별트래픽대역폭보장 수동설정및필터링결과에의한자동설정지원 정책별 QoS 기능을제공하여 Traffic Control 실현 Traffic Shaping 및 Policing 지원 19
Log Server 확장성높은 3-Tier 구조다수장비의실시간 Log/ Event 처리실시간 Monitoring - 실시간공격현황 Display - Top 10 정보제공 : 사용자별 / 공격유형별 / 서비스유형별 - 실시간 Session 감시기능다양한분석기능제공 - 공격패턴변화추이분석기능 - Monitoring UI에서 Detail 정보로의추적기능 ( Drill-Down) - 특정 Event IP 감시기능관리자 Alerting - Threshold 설정및 Event Alerting 기능 ( E-mail ) UTM Log Viewer - Windows Platform - 전용 Log Viewer - 실시간 Monitoring - Event Tracing 20
주요 UI 소개 (1/4) Task Monitor Information 21
주요 UI 소개 (2/4) Task Navigation Main Navigation Configuration Area 22
주요 UI 소개 (3/4) Monitoring Log 23
주요 UI 소개 (4/4) Quick Menu 24
Service Structure 25
Security Service 인프라 Organization ASEC( AhnLab Security E-Response Center ) 보안위협 Monitoring 악성코드수집및동향분석 피해접수및대응 V3 엔진개발 악성코드진단치료연구 Anti-Malware 진단 / 치료엔진개발 스파이웨어동향분석 N/W Threat Monitoring Proactive/Outbreak 사전대응서비스 AST ( AhnLab Security Tower ) N/W Contents Signature IPS Signature Security Patch Outbreak Prevention S/W Upgrade AV Engine Host IPS Anti-Spyware Anti-Phishing System Proactive Defense CDN TrusGuard- UTM TrusGuard- SCM 수호신 Absolute Absolute F/W Absolute IPS V3 IS SpyZero APF APC APM MyFireWall MyKeyDefense 26
시간대별대응체제 1 단계 : 패턴예측및차단정책배포 취약점을이용하는웜의공격패턴을사전에예측하여차단정책생성및배포 변종에대한대응이가능 2 단계 : 아웃브레이크웜조기차단정책배포 E-mail 필터링을통한웜조기확산방지 ( 제목, 본문, 첨부파일명, 첨부파일의확장자등 ) IP/Port/Protocol의정보로 Inbound/Outbound 패킷필터링수행 3 단계 : 네트워크웜차단정책배포 샘플수집과분석이끝난후시그니처기반의차단정책배포 취약점보고웜최초등장 Sample 수집백신엔진배포 AhnLab Smart Update 1 단계 : 패턴예측및차단정책배포 3 단계 : 네트워크웜차단정책배포 2 단계 : 조기차단정책배포 27
Distribution 시나리오 위협수집 URL 수집 위협분석 / 대응 URL DB Worm/Spyware/IPS AhnLab Security Tower KT 하나로 CDN Service DACOM 하나로 2 센터 Contents Delivery Network 엔진개선기능개선 patch AhnLab Update Server 위협반영 기능반영 1. Signature 요청및응답 1. Patch 요청및응답 UTM 2. Contents Update worm IPS Engine 3. Patch Update signature signature patch spyware signature URL DB App. patch 28
AhnLab TrusGuard UTM 사양 29
S/W Specifications Network Feature Operation Mode Routing Protocol IP Assignment Route Mode (NAT) Transparent Mode Static Routing Dynamic Routing Multicast Routing Source Routing Static, DSL Secondary IP 802.1Q VLAN 802.3ad Link Aggregation IPv6 < 지원예정 > Availability Active-Active, Active-Standby HA (without L4) Full Mesh Network Configuration (without L2) Bypass Firewall Firewall NAT Secure OS (ANOS) Stateful Inspection TCSEC B-1 Level Security Lable 을이용한 Access Control Rule 수에독립적성능보장 Black/White List Based Filtering Policy Based QoS Schedule Based Policy User Authentication One Time Password RADIUS 연동 NAPT Static(1:1) Dynamic (N:1, M:N) Exclude NAT Contents Filtering Contents Filtering Management Anti-Virus (AhnLab V3) Anti-Spyware (AhnLab Spyware) Anti-Spam Anti-Phishing Anti-Adware Anti-Grayware Anti-Malicious Site User define Contents Filtering Monitoring Network Monitoring System Monitoring Security Monitoring IPS Monitoring Worm Monitoring Application Proxy HTTP, SMTP, POP3, FTP, Oracle, General TCP IP/Port Redirection Quarantine Monitoring Virus Monitoring IPS Signature Based Prevention 4000+ Attack Signature Protocol Analyzing + Pattern Matching Evasion Attack Detect/Prevention Web Attack Prevention User define Prevention TCP Reassembly IP Defragmentation IP Stealth Mode 지원 Firewall 연동 Auto/Manual Signature Update VPN SSL VPN IPSec < 지원예정 > Gateway-Client User Level Access Control IPSec VPN Client Level Service End-point Security (MyFirewall, MyKeyDefense) Cookie, Cache 자동삭제 고객사내부 DNS, WINS 연동 고객사공지사항 Gateway-Gateway Manual Key, IKE 3DES, AES, SEED Managem ent Spam Mail Monitoring SSL VPN Monitoring 사용자중심의편리한 GUI Web, SSH 기반설정 System Management User management Alarm, Notifications 직관적로그관리 SNMP, Syslog, E-mail ESM 연동 < 지원예정 > NMS 연동 < 지원예정 > Behaviorbased Prevention Outbreak Based Prevention D(D)oS Prevention Anti-scan Prevention Anomaly Based Prevention Self-learning < 지원예정 > Honey-Net < 지원예정 > SHA-1, HAS160 NAT Traversal Hub & Spoken Deed Peer Detection Quarantine Quarantine V3 APC 연동 (End-Point Client Security) < 지원예정 > NAC 연동 < 지원예정 > Internet Access Control < 지원예정 > 차단 / 경고 Message Page Redirect 30
H/W Specifications TrusGuard UTM 100 TrusGuard UTM 400 TrusGuard UTM 1000 Customers SMB SME Enterprise Operation Mode Route Mode / Transparent Mode Route Mode / Transparent Mode Route Mode / Transparent Mode CPU Single Dual Dual Management Port - 1 1 Giga Port (Copper) 6 4 2 Giga Port (Fiber) - 4 10 Fail Open Support Bypass (Copper) Support Bypass (Copper / Fiber) Support Bypass (Copper / Fiber) Performance (Firewall) 400Mbps 800Mbps 2Gbps Size (W D H mm) 426x379x43.5 424x530x88 424 x 530 x 88 Environment Operating temperature : 0~40 o C Storage temperature : -20~80 o C Operating temperature : 0~40 o C Storage temperature : -20~80 o C Operating temperature : 0~40 o C Storage temperature : -20~80 o C Power 250W Power Supply 460W Power Supply (Redundant PSU) 460W Power Supply (Redundant PSU) 31
위협콘텐츠관리와실시간대응서비스플랫폼 AhnLab TrusGuard UTM 담당자 연락처 E-mail 최광원대리 010 5476 2769 031 895 6401 kwangpel@woongil.co.kr 32