1 / 15

Intrusion Detection & Response: Leveraging Next-Generation Firewalls

Intrusion Detection & Response: Leveraging Next-Generation Firewalls. Ahmed Abdel-Aziz November 2009 GIAC (GCIA, GCIH, GSNA, GCUX, GWAPT) CISSP. Objective. 1) Describe Recent Threat Trends & Security Statistics 2) What are Next-Generation Firewalls ( NGFWs )

sakina
Download Presentation

Intrusion Detection & Response: Leveraging Next-Generation Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection & Response:Leveraging Next-Generation Firewalls Ahmed Abdel-Aziz November 2009 GIAC (GCIA, GCIH, GSNA, GCUX, GWAPT) CISSP SANS Technology Institute - Candidate for Master of Science Degree

  2. Objective 1) Describe Recent Threat Trends & Security Statistics 2) What are Next-Generation Firewalls (NGFWs) 3) How to Leverage NGFWs in Intrusion Detection NGFWs in Bot Detection & Extrusion Detection 4) How to Leverage NGFWs in Intrusion Response NGFWs in Incident Handling, NAC, and Application Enforcement 5) Important Planning Considerations SANS Technology Institute - Candidate for Master of Science Degree

  3. Section 1 of 5 Threat Trends & Security Statistics • Bots Increasing - Trojan variants spiked 300% from 2007 to 08 [source: McAfee Virtual Criminology Report, 2008] • Compromise Discovery takes at least months, 65% of the time • Responding to Compromise takes at least weeks, 63% of the time [source: Verizon Business, 2008 Data Breach Investigations Report] • NGFWs Can Significantly Reduce Compromise Discovery (specifically Bot detection) & Response Times. SANS Technology Institute - Candidate for Master of Science Degree

  4. Section 2 of 5 NGFWs – The Evolution • NGFWs Incorporate Multiple Security Services • NGFWs Not a Solution to Every Problem:(examples) • Use WAF for web application attacks (XSS, SQL Injection, etc.) • Use dedicated email security solution for advanced spam filtering • Firewalls Typically a Prevention Control; NGFWs Can Also Become a Detection & Reactive Control • More Effective, Simpler, and Economical Security SANS Technology Institute - Candidate for Master of Science Degree

  5. Section 3 of 5 (Intrusion Detection) NGFWs in Bot Detection • What Bots Do: • Steal Sensitive Info • Send Spam, Act as Proxy • Execute DDOS & Other Attacks Bot Detection Techniques: • (1) Detection by Using NIPS Component of NGFW • NIPS Blocks Attacks Originating from Internal Bots • NIPS Cuts Communication Between Bot & its Command-and-Control (C&C) Server using Known Traffic Signatures (Popular Bots Only, Unencrypted Communication Only)  SANS Technology Institute - Candidate for Master of Science Degree

  6. Section 3 of 5 (Intrusion Detection) NGFWs in Bot Detection Continued • (2) Detection by Blocking Protocol Used in Command-and-Control (C&C) • Stop Storm Bot Updates by Blocking eDonkey P2P Protocol • Configured in Fortinet Technology using a Protection Profile • (3) Detection by Logging Violations & Audit Trail • Add Explicit Deny Rule at End of Firewall Policy for Logging • Tighten Outgoing Firewall Policy Too – Not Just Incoming • Network Audit Trail for Traffic Flow Analysis – Anomalies?? (Malware Can be Detected Without Antivirus, Interesting!!) SANS Technology Institute - Candidate for Master of Science Degree

  7. Section 3 of 5 (Intrusion Detection) NGFWs in Bot Detection Continued • (4) Detection by Filtering Malicious Content in Traffic • Leverage Perimeter Antimalware, Antispam, URL Filtering • Configured in Fortinet Technology Using a Protection Profile • Use SSL Inspection for Network Encrypted Protocols: HTTPS, SMTPS, POPS, IMAPS • (5) Detection Using DNS Based Techniques • High Number of MX DNS Requests From Non SMTP Server • Same DNS Request From Many Internal Hosts At Same Time • Very Small TTL Values in DNS Replies (FastFlux) (What’s in Common? ….. DNS Anomalous Traffic) SANS Technology Institute - Candidate for Master of Science Degree

  8. Basic Data Leakage Prevention Prevent Confidential Documents Leakage Through HTTP Achieved by Defining Watermark & Creating Custom IPS Rule Sample Rule for Fortinet NGFW Below: config ips custom edit DataLeakageThroughHTTP set signature 'F-SBID(--name “DLP” --dst_port 80; --flow bi-direction; --default_action DROP; --protocol tcp; --pattern “Organization Confidential X!kltsrodm*(&!sldrk4#dk-+”; )' end Other Rules Can be Used to Detect Credit Card Numbers using Regular Expressions Section 3 of 5 (Intrusion Detection) NGFWs in Extrusion Detection SANS Technology Institute - Candidate for Master of Science Degree

  9. Section 4 of 5 (Intrusion Response) NGFWs in Incident Handling • Security Incident Took Place While On-site (Process Proved Effective in Responding to Spambot) • (1) Identification Phase – Incident Handling Process • Users Suddenly Unable to Send Email to Any Destination • nslookup & telnet to Send Email, SMTP Connection Rejected • Public IP Blacklisted as Spam Sender • Sudden Spike in Email Activity, Spambot on the Network SANS Technology Institute - Candidate for Master of Science Degree

  10. Section 4 of 5 (Intrusion Response) NGFWs in Incident Handling Continued • (2) Containment Phase – Incident Handling Process • Block All Outgoing TCP/25 Except from Mail Server • Spambots on Network Unable to Send More Spam, Damage Already Done (Public IP has been Blacklisted) • (3) Eradication Phase – Incident Handling Process • Goal: Remove Attacker’s Artifacts • Spambots Detected by Logging Violations to TCP/25 Rule Configured in Containment  12 Spambots Detected! • Eradication Needs Time, Disconnect Bots, Move to Recovery SANS Technology Institute - Candidate for Master of Science Degree

  11. Section 4 of 5 (Intrusion Response) NGFWs in Incident Handling Continued • (4) Recovery Phase – Incident Handling Process Action 1: (Change Mail Server Blacklisted Public IP) • In Fortinet Technology, Feature is Called IP Pools • Effect on Outgoing Mail Traffic Only, Otherwise DNS MX Record Must be Changed Action 2: (Remove Public IP from Blacklists) • Get Blacklists from MXtoolbox.com – Request Removal of IP • (5) Lessons Learned Phase – Incident Handling Process • Duration from Identification to Recovery – Only one Hour!! • Compare to Typical Intrusion Response Time of Weeks Source: Verizon Business, 2008 Data Breach Investigations Report SANS Technology Institute - Candidate for Master of Science Degree

  12. Section 4 of 5 (Intrusion Response) NGFWs in Network Access Control • Pre-Admission Network Access Control in NGFW • Checks for Existing, Running & Updated Endpoint Security Solution (Isolate Hosts with Compromised Endpoint Security Solution) • Pre-build Application White-list & Enable On-Demand (Isolate Hosts with Unknown Applications Installed) • Post Admission Network Access Control in NGFW • Isolate Hosts that Originate Attacks Detected by NIPS • Isolate Virus Senders Detected by Antimalware • Isolate Hosts Violating Configured DLP Rules • Allows Very Fast Response Time (Self DOS Potential) SANS Technology Institute - Candidate for Master of Science Degree

  13. Section 4 of 5 (Intrusion Response) NGFWs in Application Enforcement • Enforcing Application Use • Only Windows Firefox Allowed as a Web Browser • IPS –ve Security Model Becomes +ve Security Model • Achieved by Creating Custom IPS Rule on NGFW • Sample Rule for Fortinet NGFW Below: config ips custom edit NotFirefoxBrowserOnWindows set signature 'F-SBID(--name “App Enforcement” --service HTTP; --default_action DROP; --flow established; --pattern “GET”; --context header; --pattern !“User-Agent: Mozilla/5.0 (Windows: U: Windows NT 5.1: en-us: rv:1.9.0.5) Gecko/2008120123 Firefox/3.0.5\r\n”; --context header; )' end SANS Technology Institute - Candidate for Master of Science Degree

  14. Section 5 of 5 Important Planning Considerations • Proper Product Selection & Sizing Key to Performance • Research Underlying HW Technology & SW Integration • Datasheet Figures not Enough, Check Independent Testing Lab Certification for Real-World Performance Ex: NSS Labs Report on the FortiGate 3810A NGFW States “Sustained 270Mbps Throughput with all Security Services Enabled” • Check Quality of Security Services Included in NGFW (ICSA Labs Certification for IPS, Firewall, AntiMalware, etc…) • Avoid Single Point of Failure by Clustering; Decide whether to Fail Open or Closed (Balance Availability need with Confidentiality & Integrity Need) SANS Technology Institute - Candidate for Master of Science Degree

  15. Summary • Statistics Demonstrate Improvement Needed in Current State of Intrusion Detection & Response • NGFWs Can be Leveraged to Significantly Improve Intrusion Detection & Response Times Including Bot Intrusions • Planning Deployment Critical to Reap Rewards • Paper in SANS Reading Room Includes More Info http://www.sans.org/reading_room/whitepapers/firewalls/intrusion_ detection_and_response_leveraging_next_generation_firewall_techn ology_33053or … search on “NGFW” in SANS site SANS Technology Institute - Candidate for Master of Science Degree

More Related