1 / 34

NetRanger Intrusion Detection System Marek M ą kowski mmakowsk@cisco

NetRanger Intrusion Detection System Marek M ą kowski mmakowsk@cisco.com. 0600_11F8_c2. The Security Wheel: Defense In-Depth. Effective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology , and expertise/ongoing operations ….

etoile
Download Presentation

NetRanger Intrusion Detection System Marek M ą kowski mmakowsk@cisco

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NetRanger Intrusion Detection SystemMarek Mąkowskimmakowsk@cisco.com 0600_11F8_c2

  2. The Security Wheel: Defense In-Depth Effective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations… • ID/Authentication • Encryption & VPN • Firewalls • Security Design & Implementation/Integration 2)SECURE 1) Corporate Security Policy 5) MANAGE & IMPROVE 3) MONITOR • Real-Time Intrusion • Detection & Response • 7x24 Monitoring • Centralized Policy & Configuration Management • Trend Analysis • Management Reports • Incident Response • Policy Development • & Review 4) AUDIT/TEST • Vulnerability Scanning & Analysis • Security Posture Assessment • Risk Assessment

  3. Why Active Audit? • The hacker might be an employee or ‘trusted’ partner • Up to 80% of security breaches are from insiders -- FBI • Your defense might be ineffective • One in every thee intrusions occur where a firewall is in place -- Computer Security Institute • Your employees might make mistakes • Misconfigured firewalls, modems, old passwords, etc. • Your network will Grow and Change • Each change is a security risk Firewalls, Authorization, Encryption do not provide Visibility into these problems

  4. Active Audit -- Goal:Visibility • NetRanger Intrusion Detection System • Monitors user behaviors while on the network • Similar to the guards, video cameras and motion detectors that help secure bank vaults

  5. NetRanger Overview • Real-Time Intrusion Detection and Response • Finds and stops unauthorized activity occurring on the network --- “reactive” appliance • Network “motion sensor, video camera, and security guard” • Industry-leading technology • Scalable, distributed operation • High performance (100MB Ethernet, FDDI, Token Ring) • “On-the-fly” re-configuration of Cisco Router ACLs to shun intruders

  6. NetRanger Sensor * Appliance * NetRanger Architecture NetRanger Director * Software * Comm • Alarm Handling • Configuration Control • Signature Control • Detection • Alarm Generation • Response • Countermeasures

  7. Sensor Appliance

  8. Sensor Front Panel

  9. Sensor Back Panel Monitoring NIC Command NIC

  10. Attack Signature Detection • Scans Packet Header and Payload • Single and multiple packet attacks • Three-tier Attack Detection • 1. Name Attacks (Smurf, PHF) • 2. General Category (IP Fragments) • 3. Extraordinary (TCP Hijacking, E-mail Spam) • Customer Defined Signatures • String matching (words) • Quickly defend against new attacks • Scan for unique misuse

  11. Sensor—Detect Intrusions Port Sweep SYN Attack TCP Hijacking Ping of Death Land Attack Context:(Header) Telnet Attacks Character Mode Attacks MS IE Attack DNS Attacks Content:(Data) “Atomic” Single Packet “Composite” Multiple Packets

  12. Sensor—Event Logging Events are Logged for Three Different Activities Alarms—when signature is detected Ping Sweep Errors—when error is detected Lost Communications Sensor Director Commands—when user executes command on Director or Sensor Shun Attacking Host Sensor Director 0973_03F8_c2 NW98_US_401 30

  13. Sensor—Attack Response Session Termination and Shunning Session Termination Kill current session TCP Hijack Attacker Kills an active session Sensor Shun Attacker Network Device Shunning Reconfigure router to deny access Sensor

  14. Sensor—Session Logging • Capture evidence (Keystrokes) of suspicious or criminal activity • Fish Bowl or Honeypot -- Learn and record a hacker’s knowledge of your network Attacker Attack Sensor SessionLog Protected Network

  15. NetRanger NetRanger NetRanger NetRanger ID/Auth. TACACS+ PIX Firewall Internet Switch NetSonar DNS NetRanger Deployment Corporate Network Cisco Secure Server IOS Firewall Cisco Router Engineering Finance NR/NS WWW Server Admin DNS Server Cisco Router Remote Security Monitoring Cisco Router NetRanger Director Dial-Up Access Business Partner

  16. NetRanger Director • Geographically Oriented GUI • Operations-friendly HP OpenView GUI • Color Icon Alarm notification • Quickly pinpoint, analyze and respond • Maintain Security operations consistency • Network Security Database • Attack info, hotlinks, countermeasures • Customizable • Monitor Hundreds of Sensors per NOC

  17. Software Requirements • Operating Systems • Solaris 2.5.1 or 2.6 • HP-UX 10.20 • HP OpenView 4.11, 5.01, 6.0 • Web browser (for NSDB)

  18. Hardware Requirements • Sun SPARC platform with: • NetRanger install partition: /usr/nr (50 MB) • NetRanger log partition: /usr/nr/var (2 GB) • HP OpenView install partition: /opt (110 MB) • Java run-time environment: /opt (12 MB) • System RAM: 96 MB

  19. Hardware Requirements (cont.) • HP-UX platform with: • NetRanger install partition: /usr/nr (50 MB) • NetRanger log partition: /usr/nr/var (2 GB) • HP OpenView install partition: /opt (65 MB) • Java run-time environment: /opt (10 MB) • System RAM: 96 MB

  20. Director - Distributed Management • Enterprise Strategic Management Director Tier 1 • Regional Operational Management Director Tier 2 • Local Network Security Management Director Tier 3 Director Tier 3

  21. Context intrusion alarm Content intrusion alarm Sensor icon Director icon Alarm Display and Management

  22. Configuration Management

  23. Network Security Database • On-line reference tool • Contains: • Descriptions • Recommendations and fixes • Severity ratings • Hyperlinks to external information/patches

  24. E-mail and Script Execution E-mail Notification Sends notification to e-mail recipientor pager. Custom Script Execution Starts any user-defined script.

  25. The Security Wheel: Defense In-Depth Effective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations… • ID/Authentication • Encryption & VPN • Firewalls • Security Design & Implementation/Integration 2)SECURE 1) Corporate Security Policy 5) MANAGE & IMPROVE 3) MONITOR • Real-Time Intrusion • Detection & Response • 7x24 Monitoring • Centralized Policy & Configuration Management • Trend Analysis • Management Reports • Incident Response • Policy Development • & Review 4) AUDIT/TEST • Vulnerability Scanning & Analysis • Security Posture Assessment • Risk Assessment

  26. Proactive What comprises Active Audit? NetSonar • Vulnerability scanning • Network mapping • Measure exposure • Security expertise NetRanger • Real-time analysis • Intrusion detection • Dynamic response • Assurance Reactive

  27. NetSonar™Security Scanner“Proactive Security” 0305_10F8_c2

  28. Active Audit—Network Vulnerability Assessment • Assess and report on the security status of network components • Scanning (active, passive), vulnerability database • NetSonar

  29. NetSonar Overview • Vulnerability scanning and network mapping system • Identifies and analyzes security vulnerabilities in ever-changing networks -- “proactive” software • Industry-leading technology • Network mapping • Host and device identification • Flexible reporting • Scheduled scanning

  30. Network Discovery Process • Network Mapping • Identify live hosts • Identify services on hosts • Vulnerability Scanning • Analyze discovery data for potential vulnerabilities • Confirm vulnerabilities on targeted hosts Target Target Target Target

  31. Network Mapping Tool • Uses multiple techniques • Ping sweeps - Electronic Map • Port sweeps - Service discovery • Unique discovery features • Detects workstations, routers, firewalls, servers, switches, printers, and modem banks • Detects Operating Systems and version numbers • Does not require SNMP

  32. Vulnerability Assessment Engine • Potential Vulnerability Engine -- Passive • Compares network discovery data to rules to reveal potential vulnerabilities • Confirmed Vulnerability Engine -- Active • Uses well-known exploitation techniques to fully confirm each suspected vulnerability and to identify vulnerabilities not detected during passive mapping

  33. Network Discovery Passive Vulnerability Analysis Active Vulnerability Analysis Presentation & Reporting How NetSonar Works FTP Bounce Exploit Ping Sweep - ID Hosts Port Sweeps - ID Svcs Active Router Discovery data analyzed by rules Email Svr Web Svr Firewall • SMTP • FTP Inactive Exploits executed against target hosts Workstation Communicate results • HTTP • FTP • Telnet • Workstation: • Windows NT v4.0 • SMB Redbutton • Anonymous FTP

More Related