《Security Trends and Network Intrusion Detection and Prevention.pdf》由会员分享,可在线阅读,更多相关《Security Trends and Network Intrusion Detection and Prevention.pdf(82页珍藏版)》请在三一文库上搜索。
1、1 2006, Cisco Systems, Inc. All rights reserved. CCIE Summit 2006 Security Trends and Network Intrusion Detection and Prevention Jonathan Limbo Security Researcher CCIE Security #10508 2006, Cisco Systems, Inc. All rights reserved. 2 2 2CCIE Summit 2006 Agenda The Security Climate The Evolution of S
2、ecurity Attacks Exploit Trends and Common Attack Vectors Intrusion Detection and Prevention “101” Deployment Considerations Network Sensor Deployment Post Deployment Issues - Custom Signatures - False Positives In-Depth - Security Intelligence/Awareness 3 2006, Cisco Systems, Inc. All rights reserve
3、d. CCIE Summit 2006 The Security Climate 2006, Cisco Systems, Inc. All rights reserved. 4 4 4CCIE Summit 2006 The Security Climate Sept 5 to Oct 1 Increasing Activity - 142 events (74 were Vulnerability Alerts, 56 Security Issue Reports, 5 Malicious Code Alerts, 5 Daily Virus Reports, and 2 Security
4、 Activity Reports) - The month included several “zero-day“ Microsoft vulnerabilities in Microsoft Office products and Internet Explorer - Microsoft responded to the Windows VML Document Arbitrary Code Execution Vulnerability with an out-of-cycle security bulletin and patch on September 26, 2006 (Dat
5、a from Intellishield) 2006, Cisco Systems, Inc. All rights reserved. 5 5 5CCIE Summit 2006 The Security Climate Sept 5 to Oct 1 Microsoft Windows VML Document Arbitrary Code Execution Vulnerability - Functional exploit code is publicly available, and attackers are actively exploiting this vulnerabil
6、ity in the wild. Malicious software that exploits the vulnerability, Exploit-VMLFill, is currently in circulation Microsoft Internet Explorer WebViewFolderIcon ActiveX Control setSlice() Integer Overflow -Functional exploit code for this vulnerability on all affected Windows platforms is active in t
7、he wild. 2006, Cisco Systems, Inc. All rights reserved. 6 6 6CCIE Summit 2006 The Security Climate Sept 5 to Oct 1 Two notable attacks on large service providers occurred - Hostgator reported an attack via a cPanel vulnerability that compromised their servers - The attack required Hostgator to recon
8、figure a reported 200 servers - In a separate attack, a Chinese service provider experienced an 8-hour attack that caused DNS servers to fail. This in turn caused 180,000 websites to become unreachable, including many large and popular websites in China (Data from Intellishield) 7 2006, Cisco System
9、s, Inc. All rights reserved. CCIE Summit 2006 The Evolution of Security Attacks 2006, Cisco Systems, Inc. All rights reserved. 8 8 8CCIE Summit 2006 The Evolution of Security Attacks Carefully crafted attacks - Complex Growth of public exploits - PoC to 0-Days Emergence of Security Tools - Core Impa
10、ct, Metasploit, Canvas etc Detection aware security attacks 9 2006, Cisco Systems, Inc. All rights reserved. CCIE Summit 2006 Exploit Trends and Attack Vectors 2006, Cisco Systems, Inc. All rights reserved. 101010CCIE Summit 2006 Exploit Trends MSRPC exploits - Routing and Remote Access Service Code
11、 Execution (MS06-025) - Server Service Code Execution (MS06-040) File type exploits - Power Point 0-day (MS06-058) Browser Exploits - Internet Explorer VML 0-day exploits - Internet Explorer Setslice 0-day exploits 2006, Cisco Systems, Inc. All rights reserved. 111111CCIE Summit 2006 Attack Vectors
12、Weakest point the end-user exploited through mass-mailers This has evolved to “one-click” exploits. - spam mails with links to malicious websites Evolving Attack Vectors makes more dangerous attacks Trend in exploits through web attack vectors is one of the most dangerous 12 2006, Cisco Systems, Inc
13、. All rights reserved. CCIE Summit 2006 Intrusion Detection and Prevention “101” 2006, Cisco Systems, Inc. All rights reserved. 131313CCIE Summit 2006 The Role of Intrusion Prevention/Detection Complementary technology to firewalls Been around for more than a decade, now a requirement in most networ
14、ks Performs deep packet inspection, gaining visibility into details often unexplored by traditional firewalls Penetration has broadened now that IPS (inline IDS) has started to gain acceptance Internet IPS Sensor IDS Sensor 2006, Cisco Systems, Inc. All rights reserved. 141414CCIE Summit 2006 IPS Te
15、rminology: What is IPS? IPS Feature vs IDS Feature -The IPS feature is specifically inline monitoring with “deny packet” capability (but not necessarily used) -IDS feature is promiscuous-only monitoring with post attack response actions (TCP reset or block on external device) Cisco IPS software vs.
16、Cisco IDS software - IPS Software is usually capable of both inline (IPS feature) and promiscuous (IDS feature) monitoring while IDS software is only capable of promiscuous (IDS feature) monitoring 2006, Cisco Systems, Inc. All rights reserved. 151515CCIE Summit 2006 IPS Terminology: What is IPS? (C
17、ont.) Cisco IPS hardware vs. Cisco IDS hardware - IDS hardware is generally designed with only one port for promiscuous monitoring -To get inline monitoring typically requires addition of an interface card - IPS hardware is designed for inline operations; typically two or more sensing ports by defau
18、lt 2006, Cisco Systems, Inc. All rights reserved. 161616CCIE Summit 2006 IPS Terminology: False Positives Defined False positive is the term most likely used to indicate an event that was incorrectly reported - False positive: a correctly named false positive is one where the sensor has triggered an
19、 alert based on a flawed algorithm - Benign trigger: the case where a sensor has correctly interpreted network traffic as an attack, but the intentions behind the traffic were not malicious - False alarms (or noise): the case where a sensor has correctly detected that an event has occurred but the e
20、vent is non-threatening or not applicable to the site being monitored False negatives is the term used to describe when an IPS misses a real attack or event 2006, Cisco Systems, Inc. All rights reserved. 171717CCIE Summit 2006 IPS/IDS System Level Architecture Sensors Management Production Network M
21、anagement Network Monitoring Internet Inside Network IDS IPS 18 2006, Cisco Systems, Inc. All rights reserved. CCIE Summit 2006 Deployment Considerations 2006, Cisco Systems, Inc. All rights reserved. 191919CCIE Summit 2006 High-Level Deployment Considerations General location decisions (perimeter,
22、internal, zones of trust, etc.) Purpose of deployment Response actions used Specific location decisions (between router and firewall, between two switches, etc.) Platform choice: integrated or stand-alone Inline performance requirements Control and responsibility issues for an inline device 2006, Ci
23、sco Systems, Inc. All rights reserved. 202020CCIE Summit 2006 High-Level Deployment Considerations (Cont.) Regardless of Marketing, IPS Is IDS Deployed into the Packet Stream Pros - Inline response actions (deny packet) -TCP/IP traffic normalization Cons - Packet effects (latency, etc.) - Network ef
24、fects (bandwidth, connection rate, etc.) - There is little point in deploying inline if you dont take advantage of the situation 2006, Cisco Systems, Inc. All rights reserved. 212121CCIE Summit 2006 Placement Strategy Often, IPS cannot be implemented “everywhere” due to cost restrictions Where do yo
25、u need to detect/stop an intrusion as soon as it occurs? - Where an incident would be most expensive (most valuable data) - At the entry to a sensitive domain to detect the first successful step of the attacker (most exposed) - Between trusted/untrusted boundaries Look at the risks: make sure you pr
26、ioritize based on the value of a resource and the exposure involved 2006, Cisco Systems, Inc. All rights reserved. 222222CCIE Summit 2006 IPS/IDS Deployment: What areas are candidates? Business Partner Access Corporate Network Internet Remote Access Systems Management Network Internet Connections Re
27、mote/Branch Office Connectivity 23 2006, Cisco Systems, Inc. All rights reserved. CCIE Summit 2006 Network Sensor Deployment 2006, Cisco Systems, Inc. All rights reserved. 242424CCIE Summit 2006 First Step: Getting Traffic to Your Network IDS Traffic must be mirrored (replicated) to sensors in IDS m
28、ode Choices: - Shared media - hubs are not recommended - Network taps - Switch-based traffic mirroring (SPAN) directly or from aggregation switch - Selective mirroring (traffic capture - VACLs) 2006, Cisco Systems, Inc. All rights reserved. 252525CCIE Summit 2006 TX and RX TX and RX From Firewall Fr
29、om Router Traffic from Firewall Traffic from Router Full Duplex Link Using a Network Tap Tap splits full duplex link into two streams For sensors with only one sniffing interface, need to aggregate traffic to one interface - Use a switch to aggregate but dont exceed SPAN port or sensor capacity 2006
30、, Cisco Systems, Inc. All rights reserved. 262626CCIE Summit 2006 Switch-Based Traffic Capture Port mirroring: SPAN functionality and command syntax varies between product lines and switch vendors - Some limit the number of SPAN ports - Some allow you to monitor multi-VLAN traffic - Note that not al
31、l sensor vendors can handle multi-VLAN traffic Rule-based capture: VLAN ACL capture/MLS IP IDS - Policy Feature Card (PFC) required on Cisco Catalyst6500 - Allows you to monitor multi-VLAN traffic - Use “mls ip ids” when using “router” interfaces or when interface is configured for Cisco IOSFW 2006,
32、 Cisco Systems, Inc. All rights reserved. 272727CCIE Summit 2006 Using SPAN (CatOS) -Sets port 5 on module 4 and VLAN 401 to span to the monitoring port on the IDS module in slot 6 Using VACL (CatOS) - Captures web traffic on VLAN 401 only, and sends the captured traffic to the monitoring port on th
33、e IDS module in slot 6 Switch-Based Traffic Capture Example switch(enable) set span 4/5 6/1 rx create switch(enable) set span 401 6/1 rx create switch(enable)set security acl ip WEBONLY permit tcp any any eq 80 capture switch(enable)set security acl ip WEBONLY permit tcp any eq 80 any capture switch
34、(enable)commit security acl WEBONLY switch(enable)set security acl map WEBONLY 401 switch(enable)set security acl capture-ports 6/1 2006, Cisco Systems, Inc. All rights reserved. 282828CCIE Summit 2006 Production Network Management Network IPS Sensor Architecture: the Big Picture Device Manager/CLI
35、SDEE Mgmt/Monitoring Inline Management Center Inline Packet Flow Shunning MARS 2006, Cisco Systems, Inc. All rights reserved. 292929CCIE Summit 2006 IPS Sensor Packet Analysis: A Day in the Life of a Packet Alarms Response Actions Response Actions Black Box Receive PacketTransmit Packet 2006, Cisco
36、Systems, Inc. All rights reserved. 303030CCIE Summit 2006 The Producer Producer Virtual Sensor Processors Virtual Alarm Processors Transmit Packet Receive Packet Check Validity of Packet Lengths Capture AND Buffer Parse L3 AND L4 Headers Check Validity of Chksums Based on IPS 5.x Sensor Code Produce
37、r 2006, Cisco Systems, Inc. All rights reserved. 313131CCIE Summit 2006 Layer 2 Handler Signature Processor L4 TCP Stream Normalizer L3 Fragment Normalizer Internal Database Deny Filter Processor Virtual Sensor Processors Producer Virtual Sensor Processors Virtual Alarm Processors Transmit Packet Re
38、ceive Packet 2006, Cisco Systems, Inc. All rights reserved. 323232CCIE Summit 2006 Event Counter Event Correlation Event Summarizer Risk Rating Calculator Event Action Override Apply Filters Perform Response Action Virtual Alarm Processors Producer Virtual Sensor Processors Virtual Alarm Processors
39、Transmit Packet Receive Packet 2006, Cisco Systems, Inc. All rights reserved. 333333CCIE Summit 2006 Scaling Analysis: Signature Engines Traffic analysis is incredibly computationally intensive with large numbers of signatures Cisco IPS analysis implemented with a series of engines that each inspect
40、 for a specific type of activity Signature engine types: AtomicFloodTraffic Meta ServiceNormalizer StateStringAIC Sweep TrojanOther 2006, Cisco Systems, Inc. All rights reserved. 343434CCIE Summit 2006 Signatures Revisited Simple pattern matching E.g. look for “root” Stateful pattern matching E.g. d
41、ecode a telnet session to look for “root” Protocol decode and anomaly detection E.g. RPC session decoding and analysis Heuristics E.g. Rate of inbound SYNs SYN Flood? 2006, Cisco Systems, Inc. All rights reserved. 353535CCIE Summit 2006 Signature Updates Much like anti-virus, network IPSs must be ke
42、pt up to date Cisco has a new home for security information including IPS signatures: Process must be developed to rapidly update new signatures as released Cisco Security Manager (and VMS) have the ability to auto update sensors directly from CCO without human interaction Cisco has developed a new
43、 partnership with Trend Micro to provide enhanced virus and worm coverage as part of the normal IPS signature updates New services are being created to decrease exposure time for late breaking exploits (ICS) and to increase security knowledge and speed of distribution of that knowledge (IntelliShiel
44、d) 2006, Cisco Systems, Inc. All rights reserved. 363636CCIE Summit 2006 Enterprise Network Cisco-Trend ICS Service Cisco ICS Server Cisco Switch Cisco IPS 4200 Series Sensor Cisco Catalyst Switch with IPS Blade Cisco Router with IPS Software Cisco Router Cisco ASA 5500 Series with AIP module Line O
45、f Defense: Broad Set of Cisco Devices That Can Become Rapid-Response Mitigation Nodes Mitigation Measures: Broad Near Real-Time (15 Min.) ACL High Fidelity (90 Min.) Signature Policy Control: Cisco ICS Server Administers and Delivers Virus and Worm Related Solutions Outbreak Intelligence: Trendlabs
46、Worldwide Real-time Monitoring and Signature Development Infrastructure 2006, Cisco Systems, Inc. All rights reserved. 373737CCIE Summit 2006 Tuning: Where to Start Most sensors ship with a default signature configuration This is a good starting point for an initial deployment in most cases Start by
47、 monitoring the default configuration Prioritize the tuning of the high priority alarms, and then move on to the mediums Its all about the risk Use risk rating values to help drive your security policy 2006, Cisco Systems, Inc. All rights reserved. 383838CCIE Summit 2006 RR = Fidelity * Severity * T
48、arget-Value - Relevance (100*100) + + + Is Attack Relevant to Host Being Attacked? How Prone to False Positive? How Critical Is This Destination Host? Event Severity Signature Fidelity Attack Relevancy Asset Value of Target RISK RATING Drives Mitigation Policy How Urgent Is the Threat? Risk Rating E
49、xplained Policy Decision Balances Attack Urgency with Business Risk Customizable Risk Rating Thresholds: 0 rx|tx|both inpkts multicast filter If Monitoring Multiple VLANs, Cisco IPS Sources the Resets into the Correct VLAN Gotchas: TCP Resets and SPAN If you use TCP resets, you must enable input packets so switch will accept RST