2.12k likes | 2.27k Views
Welcome to RealSecure. Course Objectives. After completing this course, you will be able to: Explain how to deploy RealSecure components in various network environments Install and configure RealSecure components and X-Press Updates
E N D
Welcome to RealSecure RealSecure 6.0
Course Objectives After completing this course, you will be able to: • Explain how to deploy RealSecure components in various network environments • Install and configure RealSecure components and X-Press Updates • Use the Workgroup Manager components to manage and monitor RealSecure assets • Configure and customize policies • Configure events and their responses • Display and inspect event information • Generate and view RealSecure Standard reports RealSecure 6.0
Course Outline • Day Three • Configuring Server Sensors • Working with Events and Responses • Working with Databases and Reports • Course Review • Exam Day One • Introduction • Implementing RealSecure • Preparing for Installation • Installing RealSecure • Using the Deployment Wizard • X-Press Updates Day Two • Using the Console • Managing Assets • Managing Sensor Policies • Monitoring Events • Configuring Network Sensors • Configuring RealSecure for Nokia RealSecure 6.0
Module 1 Introduction to RealSecure RealSecure 6.0
Module Objectives After completing this module, you will be able to: • Identify and describe the RealSecure components • Describe how the RealSecure component work together to monitor your network • Identify the types of threats RealSecure recognizes • Review the goals and methods of attackers • Explain how RealSecure responds when your system is under attack RealSecure 6.0
What is RealSecure? RealSecure is made up of many components Sensors Workgroup Manager Network and Server:Software applications that look for suspicious activity or attacks and generate the appropriate response Application used to manage sensors via a console, gather event data and send it to the database, and maintain the database from the sensors RealSecure 6.0
The RealSecure Family RealSecure 6.0
Types of Managers Each RealSecure Manager provides a different function RealSecure Workgroup Manager Allows for centralized control of sensors and centralized collection of threat event data Command Line InterfaceSensor management from the command line Sensor Manager Utility Allows you to manage multiple groups of sensors using a JAVA-based front-end to the command line interface RealSecure 6.0
Types of Sensors RealSecure 6.0
Three-tiered Architecture RealSecure 6.0
Network Sensor Dedicated hardware/ software solution One sensor protects multiple systems Promiscuously monitors all traffic on a collision domain Diverse range of attack signatures Server Sensor Runs on each system to be protected Combination of host and network sensors (can be run with host components only) Monitors system logs, file access, port activity, registry keys, user activity Tightly integrated with the TCP/IP stack to monitor all traffic to and from the system How Sensors Work Together RealSecure 6.0
Benefits of Using Both Sensors RealSecure sensors complement each other to provide maximum security coverage. They also provide: • Real-time detection at the network level • System-specific confirmation at the host level RealSecure 6.0
How Sensors Work Type of data monitored • Raw network packets for Network Sensors and Server Sensors • Operating system log entries for Server Sensors Signature base • ISS X-Force • Comprehensive signature database Functions of each sensor • Network Sensor • Runs on network segment where installed • Monitors all IP traffic • Server Sensor runs on host; monitors log files and network traffic to and from that host; compares log file entries against current policy RealSecure 6.0
Actions Sensors Can Take When a sensor detects unauthorized activity, it can take one or more actions. • Post an event to the RealSecure Console • Record an event to the RealSecure database or record the session to the RealSecure database • Send an email alert • Terminate the user’s session or send an RSKill • Send SNMP trap • Take a user-definable action • Block specific network packets all the time or in response to a particular event (Server Sensor only) RealSecure 6.0
Performance Impact of Sensors Network Sensor on critical network segment: • Unobtrusive • Monitors traffic on the local network segment • Does not interrupt traffic stream Server Sensor on the server: • Configurable • Minimal processor overhead for single-user systems • Impact increases on multi-user systems • You control how much auditing is done on the server RealSecure 6.0
Threats Recognized by RealSecure Attack – Activity pattern indicating a potential malicious, unauthorized, or undesirable activity • Denial of Service • Unauthorized Access Attempts • Pre-attack Probes • Suspicious Activity Misuse – Non-attack activity that violates stated security or appropriate use policies • Abuse of admin privileges • HTTP activity • Unauthorized access • E-mail session decoding RealSecure 6.0
How to Spot and Counteract Threats • Understand attack goals and methods • Information gathering • Initial system access • Obtaining elevated privilege • Establishing ownership • Recognize the role of firewalls • Are they enough? • Do they protect internal segments and servers? • Is the firewall rule base secure? • Configure RealSecure to identify and respond to attacks RealSecure 6.0
Attack Goals Common attacker goals include: • Finding a weakly configured system to turn into a zombie • Using a compromised machine as a stepping stone to other linked systems • Acquiring data • Damaging or destroying information • Defacing a public site • Creating a denial-of-service condition RealSecure 6.0
Attack Methods Attacker methods follow these steps: • Gathering information • Gaining initial system access • Obtaining elevated privileges • Establishing “ownership” RealSecure 6.0
Information Gathering Attackers may gather information from many sources: • Telephone calls to the company. • Phone books. • Web and Newsgroup searches. • Visits to the physical site. • Public library reference tools. • Network scans. • The organization's own web site. • Finger probes. • Dumpster diving. • ARIN/RIPE/APNIC and DNS records. RealSecure 6.0
Initial System Access User-level access can be obtained through: • Brute-forcing a legitimate user’s password • Logging in with a default account • Getting shell access by taking advantage of a bug or misconfiguration This may be the most difficult step! RealSecure 6.0
With initial system access gained in the previous step, the attacker can: Attempt to get root or administrator access Traverse the system gathering information about vulnerabilities Obtain or construct programs to exploit vulnerabilities discovered Obtaining Elevated Privileges RealSecure 6.0
Once root access has been gained, an attacker will: Install backdoors through which to access the system without creating logs or appearing on process or user lists Alter system logs to remove any evidence of compromise Now the attacker has control of your system! Establishing Ownership RealSecure 6.0
The Role of Firewalls A firewall is the first line of defense against an external intruder. Questions to ask include: • Are they enough? • Do they protect internal segments and Servers? • How can you determine if the firewall rule base is secure? RealSecure 6.0
Crack NT UNIX UNIX NT Router Network Clients & Workstations E-Mail Server imap imap Anatomy of an Attack: No IDS Step 3. Attacker exploits trust relationships to get access to a Unix system inside firewall. Step 4. Attacker cracks password files and now has root/administrator access to various systems and applications. Web Server rlogin Step 5. Attacker uses password information to turn CEO’s system into a remotely-controlled zombie. UNIX Firewall Step 1.A port scan through the firewall finds active rlogin services on various systems and a vulnerable IMAP service on the corporate e-mail server. Step 2. Attacker exploits weakness in IMAP to get root access on E-Mail server in the DMZ. RealSecure 6.0
Anatomy of an Attack: RealSecure IDS Step 3.Host IDS notifies you of unusual logins and restricts incoming connections from outside. Now a compromised external system can’t be leveraged against internal system. Network Sensors Server Sensors Step 4.Host IDS sees attempted access to password files and restricts FTP/Telnet so attempt to crack passwords fails. Web Server Step 5. Network & Host-Based IDS work together to protect your CEO’s system (and your job!). NT UNIX UNIX NT UNIX Firewall Router Network Step 1.Network IDS sees port scans & reconfigures FW to block it. Host IDS sees port probes and keeps internal systems from replying to scan. Clients & Workstations E-Mail Server Step 2.Network IDS sees attempt to exploit IMAP. Host IDS restricts outgoing connections from the mail server to the internal network. RealSecure 6.0
Module Review You should be able to: • Identify and describe the RealSecure components • Describe how the RealSecure component work together to monitor your network • Identify the types of threats RealSecure recognizes • Review the goals and methods of attackers • Explain how RealSecure responds when your system is under attack RealSecure 6.0
Module 2 Implementing RealSecure RealSecure 6.0
Module Objectives After completing this module, you will be able to: • Discuss scenarios for Workgroup Manager deployment. • Determine where to deploy Network Sensors and Server Sensors • Address configuration issues associated with Stealth mode and out-of-band reporting RealSecure 6.0
Deploying Workgroup Manager • Typical install puts all components on one computer • Production environment: use custom install and split components among several computers to improve performance • Critical that Enterprise Database be on secure system, since it contains all event information RealSecure 6.0
Workgroup Manager Scenario One • 1-5 sensors, 1 computer, typical install: RealSecure 6.0
Workgroup Manager Scenario Two • 1-5 sensors, 1 computer, typical install; backup Console with custom install on second computer: RealSecure 6.0
Workgroup Manager Scenario Three • 6-20 sensors, WGM components distributed across 2 computers, backup Console on third computer: RealSecure 6.0
Workgroup Manager Scenario Four • 20-50 sensors, WGM components distributed across 3 computers, backup Console on fourth computer: RealSecure 6.0
Workgroup Manager Scenario Five • 50+ sensors, WGM components distributed across 5 computers, backup Console on sixth computer: RealSecure 6.0
Deploying Sensors Place Network Sensors On each segment of the network where: • Critical data must be protected • Users need to be monitored Place Server Sensors On all servers containing critical information On host systems containing critical data On Unix NIS servers On hosts to be used for remote Unix syslog monitoring RealSecure 6.0
One Console, Multiple Sensors • One Console best supports up to 50 sensors • Varies depending on sensor configuration and how real-time incident response is handled • Number of sensors managed by a single Console can be limited by response capabilities of Console operator • Typical ratio for Network Sensors is 10-20 per Console • If less emphasis is placed on real-time response, ratio for Network Sensors is 20-30 per Console RealSecure 6.0
One Sensor: Multiple Consoles • A single sensor can send data to up to 50 Consoles • A typical configuration is one sensor sending data to 2-4 Consoles RealSecure 6.0
Examples of Deployment • Network Sensors in key locations: • In front of firewall • In DMZ • Inside firewall • On key segments of internal network • On segment with dial-up server • Behind firewall of corporate partner • Server Sensors on key systems: • Important servers • Host systems with critical data • Windows NT domain servers or UNIX NIS servers • Console on intranet backbone RealSecure 6.0
Liberal Deployment RealSecure 6.0
RealSecure on a Switched Network • Ways to support RealSecure in a switched network environment include use of: • Span or mirror ports • Hubs • Taps • Associated issues are discussed in detail in the Advanced RealSecure course RealSecure 6.0
Stealth Mode and Out-of-Band Reporting • Out-of-band reporting: communications outside the network/channel that is being monitored • With RealSecure, set up out-of-band reporting for Network Sensor by using two interfaces: • A “stealth” interface with no IP address on the monitored segment • A reporting interface with an IP address on the reporting segment RealSecure 6.0
Advantages of Stealth Mode • Network Sensors cannot be located by attacker • Attacker doesn't know which segments are monitored • Attacker can’t be sure Network Sensor is being avoided or overwhelmed • Network Sensors are inaccessible to IP attacks from production network • Sensor has no IP address • No Network Sensor reporting traffic exists on production network • Prevents attackers from getting information about IDS RealSecure 6.0
NS Responses and Stealth Mode • Kill responses are constructed by sensor’s packet engine and don’t require IP address • All other responses must be sent from IP-bound interface • Using stealth configuration, OPSEC, LMF, SMTP, and SNMP responses originate from reporting interface onto reporting segment; kill responses originate from monitored interface with spoofed source and destination RealSecure 6.0
Non-Kill Responses and Stealth Mode • For non-kill responses to work, routing path must exist between reporting network and response recipients • Routing path can be an internal firewall between production network and out-of-band network • Example of out-of-band network firewall policy: • Block everything except (1) outgoing responses from Network Sensors and (2) reporting traffic between host-based sensors and Console RealSecure 6.0
Out-of-Band Reporting Outside Firewall • Unfounded fear that this circumvents firewall • Network Sensor in stealth configuration is more secure than a firewall • Operating system’s TCP/IP stack is unbound from interface, isolating sensor from stack vulnerabilities • Incoming packets are handled as data, with no capacity to pass packets to reporting interface RealSecure 6.0
Module Review You should be able to: • Discuss scenarios for Workgroup Manager deployment. • Determine where to deploy Network Sensors and Server Sensors • Address configuration issues associated with Stealth mode and out-of-band reporting RealSecure 6.0
Module 3 Preparing for Installation RealSecure 6.0
Module Objectives After completing this module, you will be able to: • Determine whether your systems meet the minimum requirements • Explain how authentication works in RealSecure • Identify the differences between authentication keys and license keys • Discuss some considerations for upgrading from RealSecure 5.x to 6.0 RealSecure 6.0
Online Help The online Help provides information such as: • Help during installation of RealSecure • Event information: • Type of event • Detailed description • Why the event might be dangerous • Possible false positives • Systems affected • How to respond to the event • How to remove the vulnerability Requirement to use online Help: Internet Explorer 4.01 with SP 1 or higher RealSecure 6.0