200 likes | 288 Views
Industry Overview. Victor Kasacavage Systems Engineer Juniper Networks. Agenda. Why does security matter? Types of Protection IDS vs IPS Layer 7 vs Layer 4 Attack Phases and Tools Summary. Why Do People Care?. Money. Service Providers
E N D
Industry Overview Victor Kasacavage Systems Engineer Juniper Networks
Agenda • Why does security matter? • Types of Protection • IDS vs IPS • Layer 7 vs Layer 4 • Attack Phases and Tools • Summary
Why Do People Care? Money • Service Providers • Loss of bandwidth/connectivity = Loss of product = Loss of reputation • Theft of customer info = Loss of reputation • Enterprise • Loss of productivity = Loss of immediate business + future business • Loss of intellectual property • User • Loss of passwords = network vulnerability • Loss of personal identity/passwords = theft
Security Has Changed An incident may involve one site or hundreds (or even thousands) of sites. Also, some incidents may involve ongoing activity for long periods of time. “Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks. Therefore, as of 2004, we will no longer publish the number of incidents reported.” Source: CERT Coordination Center
If You Sell It, They Will Buy • Market doubled in 2005 for IPS, over half a billion for IDS/IPS this year • IPS one of fastest growing segments in industry • IDS users moving to IPS! • “Most of the market remains a green field of prospects with interest and demand”* IDS IPS *Network Security and Intrusion Prevention, ESG, Jan 2005
Vulnerability Threat Asset Value $ X X Risk = Countermeasures SOX CESG HIPAA Basel II GLB Types of Protection • What technologies are available today? • Firewalls • Controls access between networks • Some firewalls have more advanced inspection methods • Limits access to provide security • Antivirus • Inspects for viruses in files or network traffic • Prohibits viruses embedded in files • Available as a host software or network software/devices • Market began with host software, and is further developed • Intrusion Detection Systems/Intrusion Prevention Systems • Watches for attacks on networks or on the host • Evaluates network traffic to determine if a suspected intrusion has taken place • Signals an alarm, creates a log, (IDS/IPS) or drops traffic (IPS) (One or all) • Available as network software and/or host software • The market would buy insurance, if it only knew what to buy! • Must be comprehensive (not a half-solution) • Must be implementable • Must be actionable (not just advice) • Should help with compliance issues
IDS and IPS are designed to protect from: • Network Worms • Non-File Based Trojans • Spyware/Adware/ Keyloggers “phoning-home” • Other Malware & Zero-Day Attacks • DOS Intrusion Detection & Intrusion Prevention
A Complete Solution • At a minimum, the enterprise needs: • Firewall – necessary for first line perimeter defense • Host-based antivirus – prevents many viruses where they start • Network intrusion detection and prevention solution – • Need application layer visibility to stop only attacks real-time • Full Layer 7 application visibility, which provides: • Context – not just the “bits” or “words,” but the “conversation” • Application/Protocol Breadth – Insight into many different protocols • 2-Way Traffic Inspection – not just one direction of data, but both directions • “Zero-Day” Intelligence – not just known attacks, but unexploited vulnerability protection and protocol anomalies • Different detection methods for different phases of attack
Precise L7 Pattern Match • Can perform Protocol Anomaly • Can detect zero-day attacks Basic error-prone Pattern Match • Extract • application state, • application message, • application message value 0010100101010101010 Layer 7 processing Layer 4 processing Context Layer 7 IPS vs Layer 4 IPS Concept 11001001100011110010101010110101001011111001101010010110101010001010010101010101010101011110000111010101010111010101101101010110010101010101010100 Traffic Bit Stream
Protocol Breadth • Compares protocol behavior as seen in the traffic to the protocol RFC • Requires support of many common protocols
One-way IPS inspects only request side 1 2 Let ALL response traffic through Two-way IPS inspects both request…. 1 2 AND response Two-Way Traffic InspectionMust look at incoming and outgoing traffic
Context + Protocol Breadth + 2-Way Need all for Zero-day protection • Zero-day attacks have no signatures • They can be discovered only with a combination of: • Layer 7 information • Protocol behavior comparisons • Both sides of the network “conversation
External and internal attacks • Unknowing employees bring in infection Attack Phases and Tools • Different methods for different attack phases • Preparing to attack – the recon phase
Detection Methods • Protocol Anomaly • Stateful Signatures • Backdoor Detection • Traffic Anomaly • Syn-Flood Detection • IP Spoof Detection • Layer 2 Detection
Real Server Fake Server FTP, SSH, Telnet Real Server Multiple Methods Of Detection:Recon Detection The attacker is trying to find vulnerabilities Traffic Anomaly Detection • Notes unusual traffic based on admin-configurable rules • X ports per Y time; X IP addresses per Y time; X sessions per Y time Network Honeypot • Impersonates services, sending fake information in response to scans to try an entice attackers to access the non-existent services. • There is no reason for legitimate traffic to access these resources because they don’t exist, so any attempt to connect constitutes an attack.
Establishes connection Attacker sends 512 bytes! CNTL > expn root CNTL > From, To Data > expn root isan exploit… Multiple Methods Of Detection:Attack Detection The attacker has identified vulnerabilities or proceeded Protocol Anomaly Detection • Compares how traffic to protocol specification • Only as useful as the number of protocols supported Server expects <256 bytes Stateful Signatures • Tracks state of the network “conversation.” • For example, differentiates control portion from body of e-mail • Significantly reduces false positives! FALSE POSITIVE
Download “freeware”(with a spyware surprise) IM (with a surprise!) Dormant til the attacker “opens the backdoor” Multiple Methods Of Detection:Propagation/Proliferation Detection Initial attack has succeeded and is now proliferating Spyware • Recognizes spyware when it attempts to “phone home: • Identifies source of message, so it can be eliminated before it spreads Backdoor Detection • Attackers can send a worm or Trojan is downloaded with something else • Attacker will activate it to open a backdoor into the network • IDP recognizes the non-allowed interactive traffic between the attacker and the worm.
10.1.1.0/24 SRC-IP DST-IP DST-Port DATA 10.1.1.1 10.1.1.55 53 Typical ARP request/reply Forged ARP packet Multiple Methods Of Detection:Propagation/Proliferation Detection Initial attack has succeeded and is now proliferating IP Spoof Detection • Attacker spoofs IP addresses to make it look the message is coming from inside the network • Just define IP subnets behind each interface • Validate source IP against inbound interfaces. Layer 2 Attack Detection • arpspoof’ and ‘dsniff’ • MAC/IP flip-flops between interfaces • Mismatch between Ethernet frame and ARP header • IP address change for the same MAC • Invalid ARP request/reply frames
Summary - IPS Selection Criteria • Detection Methods • Network and Application Visibility • Accuracy • Management and Ease of Use • Throughput • System Transparency
Juniper Standalone IDP Product Line IDP • IDP 1100C/F • Large central site or high traffic areas • 1 GB Max Throughput* • 500,000 Maximum Sessions • 4 GB Memory • HA Clustering • Fiber or Copper Gigabit Port Versions • Dual SCSI drives and redundant power • IDP 600C/F • Medium to large central site or high traffic areas • 500Mb Throughput • 200,000 Maximum Sessions • 4 GB Memory • HA Clustering • Fiber or Copper Gigabit Port Versions • Dual SCSI drives and redundant power • IDP 200 • Medium central site and large branch offices • 250Mb Throughput • 50,000 Maximum Sessions • 1 GB Memory • HA Clustering • and Integrated Bypass Ports All contain full IDP features and are managed using the same interface = Increased Security throughout the Network & Lower TCO • IDP 50 • Small network segments or low speed links • 50Mb Throughput • 10,000 Maximum Sessions • 1 GB Memory • Integrated Bypass Ports *As tested with IDP 3.0 software