230 likes | 246 Views
Intrusion Prevention System. Hoàng Thế Long – 13320795 Nguyễn Thái Bình - 13320785. Stephen Gates – CISSP stephen.gates@corero.com. Sans Institute Top 10 Cyber Threats for 2013. Increasingly sophisticated website attacks that exploit browser vulnerabilities
E N D
Intrusion Prevention System HoàngThế Long – 13320795 NguyễnTháiBình - 13320785 Stephen Gates – CISSP stephen.gates@corero.com
Sans Institute Top 10 Cyber Threats for 2013 Increasingly sophisticated website attacks that exploit browser vulnerabilities Increasing sophistication and effectiveness in botnets Cyber espionage efforts by well-resourced organizations to extract large amounts of data for economic and political purposes Mobile phone threats, especially against iPhones, Google's Android phones, and voice over IP systems Insider attacks Advanced identity theft from persistent bots Increasingly malicious spyware Web application security exploits Increasingly sophisticated social engineering to provoke insecure behavior Supply chain attacks that infect consumer devices Source :SANS Institute
What is an IPS? • Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. Source :Principles of Information Security – Michael E. Whitman, Herbert J. Mattord
Why use an IDPS(cont.)? • 1. To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system • 2. To detect attacks and other security violations that are not prevented by other security measures • 3. To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities) • 4. To document the existing threat to an organization • 5. To act as quality control for security design and administration, especially in large and complex enterprises • 6. To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors
Why use an IDPS (cont.)? • Best Reason • One of the best reasons to install an IDPS is that they serve as deterrents by increasing the fear of detection among would-be attackers. If internal and external users know that an organization has an intrusion detection and prevention system, they are less likely to probe or attempt to compromise it, just as criminals are much less likely to break into a house that has an apparent burglar alarm.
Type of IDPS • Network - based IDPS(NIDPS) • monitors the entire network for suspicious traffic by analyzing protocol activity • Wireless IDPS • Network Behavior Analysis System (NBA) • Host -based IDPS(HIDPS) • an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.
IPDS Detection Methods • 1. The signature-based approach • 2. The statistical-anomaly approach • 3. The stateful packet inspection approach
IPDS Response Options • Audible/visual alarm • E-mail message • Page or phone message • Log entry • Evidentiary packet dump • Take action against the intruder • Launch program • Reconfigure firewall • Terminal Session • Terminate connection
Strengths of IDPS • Monitoring and analysis of system events and user behaviors • Testing the security states of system configurations • Baselining the security state of a system, then tracking any changes to that baseline • Recognizing patterns of system events that correspond to known attacks • Recognizing patterns of activity that statistically vary from normal activity • Managing operating system audit and logging mechanisms and the data they generate • Alerting appropriate staff by appropriate means when attacks are detected • Measuring enforcement of security policies encoded in the analysis engine • Providing default information security policies • Allowing non-security experts to perform important security monitoring functions
Limitations of IDPS • Compensating for weak or missing security mechanisms in the protection infrastructure,suchas firewalls, identification and authentication systems, link encryption systems,accesscontrol mechanisms, and virus detection and eradication software • Instantaneously detecting, reporting, and responding to an attack when there is a heavy network or processing load • Detecting newly published attacks or variants of existing attacks • Effectively responding to attacks launched by sophisticated attackers • Automatically investigating attacks without human intervention • Resisting all attacks that are intended to defeat or circumvent them • Compensating for problems with the fidelity of information sources • Dealing effectively with switched networks
Others • Reporting and Archiving Capabilities • Failsafe Considerations for IDPS Reponses • Selecting IDPS Approaches and Products • Organizational Requirements and Contraints • IDPS Product Features and Quality
Typical Network Topology Servers and Applications IT Infrastructure Firewall Internet’s No-Man’s Land SW Router “Good Users” Customer Traffic Customer Traffic Customer Traffic Assumption: Customer Traffic Flowing Through As Expected
What’s Firewall UTM limitation Internet’s No-Man’s Land Servers and Applications IT Infrastructure Firewall -Should I restrict access? -Static restrict access based on source IP is impossible, there’re billion of IP out there “Attackers” SW Router “Good Users” -At what rate can traffic enter my network? -Policy based static rate limited without analysis the application and user’s behaviour is impossible, it’s easy to drop good traffic at the same time - FW UTMhas not enough insufficient resources to deal with DDoS attack
What’s else Firewall UTM can not do? Internet’s No-Man’s Land Servers and Applications IT Infrastructure Firewall -Bi-direction traffic inspection -FW inspection the incoming traffic, how about return traffic from App Servers? “Attackers” SW Router “Good Users” -How many applications/OS/BYOD are running in our company? Does Firewall UTM know about them? -FW UTM has limited signature of Application and OS (no BYOD database), unknow traffic match FW policy are still pass through
Without IPS Internet’s No-Man’s Land Unwanted Traffic Firewall system overload IT Infrastructure Servers and Applications Undesired Users & Service SW “Attackers” DDoS Attacks SW Router “Good Users” Protocol Abuse SW Server-Side Exploits Customer Traffic Customer Traffic Customer Traffic
With IPS Internet’s No-Man’s Land IPDS Firewall system IT Infrastructure Servers and Applications Undesired Users & Services SW SW “Attackers” DDoS Attacks FoiledAttackers SW SW “Attackers” Router “Good Users” Protocol Abuse SW SW Satisfied Customers Server-Side Exploits “Good Users” Customer Traffic Customer Traffic Customer Traffic
IPDSBoongke Centralized Management & Reporting Corero Security Operations Center SecureWatch Excerpts of SecureWatch Reports