1 / 35

IPS News

IPS News. Germán Zurro Valdez gzurro@checkpoint.com. Agenda. 1. Is IPS still neded ?. 2. Check Point in IPS market. 3. IPS Managed Services. 4. Product News!. Agenda. 1. Is IPS still neded ?. 2. Check Point in IPS market. 3. IPS Managed Services. 4. Product News!.

hiroko
Download Presentation

IPS News

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPS News Germán Zurro Valdez gzurro@checkpoint.com

  2. Agenda 1 Is IPS still neded? 2 Check Point in IPS market 3 IPS Managed Services 4 Product News!

  3. Agenda 1 Is IPS still neded? 2 Check Point in IPS market 3 IPS Managed Services 4 Product News!

  4. Dynamic Threat Landscape Over 100 attacks per second ! A new malware is generated every second !

  5. Why Is IPS Needed? RSA 0-Day in Adobe Flash Player Embedded in Microsoft Excel File (“2011 Recruitment Plan.xls”) HBGary, Epsilon,Sony Picture SQL Injection 0-Day Attacks Complex, Polymorphic Attacks Advanced Persistent Threats (APTs) XSS Sony PSN Old and vulnerable versionof Apache web serverANDNo perimeter FW! DDoS Vulnerability Attacks Compliance Requirements

  6. Why Is IPS Needed? RSA 0-Day in Adobe Flash Player Embedded in Microsoft Excel File (“2011 Recruitment Plan.xls”) HBGary, Epsilon,Sony Picture SQL Injection 0-Day Attacks Complex, Polymorphic Attacks Advanced Persistent Threats (APTs) XSS Sony PSN Old and vulnerable versionof Apache web serverANDNo perimeter FW! DDoS Vulnerability Attacks Compliance Requirements

  7. Agenda 1 Is IPS still neded? 2 Check Point in IPS market 3 IPS Managed Services 4 Product News!

  8. We changed the face of our IPS

  9. Continued Industry Leadership #1 inAdobe Reader, Acrobat Threat Coverage 2009, 2010, 2011 #1 in Microsoft Threat Coverage 2008, 2009, 2010 and 2011 Check Point Check Point 185 620 Sourcefire 148 Sourcefire Cisco 590 483 90 Juniper HP Tipping Point 498 Tipping 70 Juniper 344 28 41 Cisco McAfee McAfee 342 Signature counts attained from vendor public web sites.

  10. Superb 3rd Party Validation • No Other Vendor Has the BESTFW, IPS and NGFW! IPS Next Gen FW and IPS • NSS IPS Recommended 2011 • 97.3% Security Score • Gartner FW MQ (including integrated IPS) • Leader for 12 years • Gartner IPS MQ – Niche • NSS FW Recommended 2011 • Only vendor to pass • NSS NGFW Recommended 2011 • World’s First • Gartner NGIPS Definition

  11. NSS 2012 Results

  12. Agenda 1 Is IPS still neded? 2 Check Point in IPS market 3 IPS Managed Services 4 Product News!

  13. Daily Security Challenge • Priority One: Maintain production operations! • Secure against all threats including targeted APTs • Monitor the flood of IPS security events • Optimize IPS protection policy against a dynamic threat landscape

  14. IPS Management Challenges • Many hundreds to thousands of events per day… • Which events are serious? • How should protection policy be tuned? • We don’t have time…

  15. Introducing IPS Managed Services 24/7 IPS MANAGEMENT BY CHECK POINT EXPERTS 1. Actionable attack alerts 2. Ongoing tuningof IPS protections 3. Global attack intelligence& benchmarks

  16. How Does It Work? Check Point SOC Customer IPSSoftware Blades Actionable attack alerts On-going policy tuning Global intelligence IPS Managed Service Portal Customer FW IPS events

  17. Expert Monitoring for Actionable Alerts • Many hundreds to thousands of events per day… Few Actionable Alerts Per Week! 24/7AnalysisbyCheckPointExperts

  18. Get Actionable Attack Alerts • Instant alert • What happened? • What to do next?

  19. Check Point IPS Managed Services CUSTOMER BENEFITS 1. Tremendous time savings 2. Expert monitoring 3. Meet compliance requirements 4. Better security – Actionable attack alerts – Ongoing tuningof IPS protections – Global attack intelligence& benchmarks

  20. Agenda 1 Is IPS still neded? 2 Check Point in IPS market 3 IPS Managed Services 4 Product News!

  21. Product news! IPS CLI New Geo Protection ImpliedExceptions Fail Open NICs SnortConversionTool

  22. IPS CLI • We now allow making temporal changes to IPS directly from CLI • Enable/disable IPS on the GW • Trigger bypass manually or configure it’s thresholds • Turn on debug • Gather performance statistics regarding IPS protections to help identify high CPU utilizing protections • All changes are temporal and are overriden by a policy push, reboot and cpstop/cpstart

  23. Geo Protection • The Geo-protection is now much more accurate. • New vendor is used • Missing countries were added to the list • North Korea • Somalia • Etc’

  24. Implied exceptions • Implied exceptions ignore Check Point products’ originated traffic so as not to block our own communication • SSL on non-standard ports • HTTP on non-standard ports • SSL tunneling • View the exceptions by checking the “IPS implied exception” option http://wiki.checkpoint.com/confluence/display/GlobalPO/Freud+-+Implied+exceptions

  25. Fail-Open NICs

  26. What is Snort? Open source network intrusion prevention and detection system (IPS/IDS) De-facto standard for communities writing of open network detection signatures Created by Martin Roesch in 1998 Current CTO of SourceFire Latest version is 2.9.x More info at http://www.snort.org

  27. Snort rules Snort rules are similar to what we in Check Point call protections • Rules are stored in (multiple) text files • One rule is one line of a text based language with a predefined syntax • The syntax have evolved and can today detect patterns in many different ways • Rules can call pre-processors to better look for patterns in advanced protocols Snort rules capabilities are similar but also very different from the proprietary Check Point protection language

  28. Snort rule syntax - example alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) Elements before parentheses is the ‘rule header’ alert action to take; also log, pass, activate, dynamic tcpprotocol; also udp, icmp, ip $EXTERNAL_NET source address; this is a variable – can also be IP 27374source port; also any, negation (!21), range (1:1024) -> direction; <- and <> is also allowed $HOME_NET destination address; this is also a variable here any destination port

  29. Snort rule syntax - example alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) Elements in parentheses are ‘rule options’ msg:”BACKDOOR subseven 22”; message to appear in logs flags: A+; tcp flags; many options, like SA, SA+, !R, SF* content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches reference…; where to go to look for background on this rule sid:103; rule identifier classtype: misc-activity; rule type; many others rev:4; rule revision number other rule options possible, like offset, depth, nocase, and many more

  30. Custom made Snort rule Simple rule that will trigger on normal traffic alert tcp any any -> any any (msg:"Look for packets including www.checkpoint.com within first 200 bytes"; flow:established,to_server; file_data; content:"www.checkpoint.com"; within:200; ) Looks for www.checkpoint.com within the first 200 bytes of TCP sessions

  31. Some Snort rules distributions Official Snort Rules • URL: http://www.snort.org/snort-rules/ • Annual subscription for immediate access • Released to registered users after 30 days Emerging Threats • URL: http://www.emergingthreats.net • Free Snort rules for emerging threats • Also paid Pro package with enhanced coverage SCADA rules • URL: http://www.digitalbond.com/tools/quickdraw/ • Open source collection of SCADA rules • Also adds several SCADA preprocessors

  32. Snort rules import in R75.40VS Developed due to customer requests • Converts Snort rule text files into IPS Blade protections • One rule is one protection • Listed among other Check Point provided protections • New group in IPS protection tree: SNORT Imported • Conversion is done on the management • CLI tool called SnortConverter • Converts the rules file and imports it into the protection DB • Needs GUI R/W lock

  33. Snort protections properties Snort protections are automatically assigned to • The name of the imported Snort protection is the value of the msg field in the original SNORT rule • If one SNORT rule has multiple msg strings with the same value, they are aggregated to one IPS Snort protection • If multiple rules are imported at different times and have the same msg string, the new import overrides the old protection Severity Confidence Level Performance Impact High Medium-Low High

  34. Other things to know.. • Direction rules • ->will create Server protections • <- will create Client protections • <> will create Server and Client protections • Many combinations of keywords and modifiers are implemented differently in the IPS blade as Snort protections than in SNORT Rules • More details in IPS Admin guide • We recommend you test them before activating them in a production environment • Debug messages from the last SnortConvertorrun is saved in • $FWDIR/log/SnortConvertor.elg • To find failed rule debugs search for: Failed to convert rule

  35. ROADMAP FW / IPS duties Rulebase for IPS Unified with AB IPv6

More Related