cisco security agent and network ids/ips · presentation_id © 2006 cisco systems, inc. all rights...
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cisco Security Agent and Network IDS/IPS
Erik LentenTechnical Marketing Engineer
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Session objectives
Give an overview of Cisco IDS and IPS technologies
Give an overview on how to deploy IDS and IPS
Explain key features that can help during a deployment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
IPS Terminology:The Marketing of IPS/IDS
IDS Intrusion Detection System—typically limited to promiscuous sensors (out of packet stream)
IPS Intrusion Prevention/Protection System—the term most commonly applied to a sensor that sits inline (in the packet stream) and can drop malicious packets, flows or attackers
IDP Intrusion Detection and Prevention—marketing term coined by a vendor for product differentiation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Network IPS vs. Host based IPS
Network IPSSignature Based (so frequent updates)Good description of attackMore difficult to detect/prevent day zero attacks
Host Based IPSBehavior based (less frequent policy updates)Not always a good description of attackExcellent protection against Day Zero AttacksCould be used for data leakage, compliance management and others
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Network IPS Terminology:What Is IPS? (Cont.)
“Identical to a wire” is the closest analogy
Inline interfaces have no MAC or IP and cannot be detected directly
Network IPS passes all packets without directly participating in any communications including spanning tree (but spanning tree packets are passed)
Default behavior is to pass all packets even if unknown, (i.e. IPX, Appletalk, etc.) unless specifically denied by policy or detection
IPS Closely Resembles a Layer 2 Bridge or Repeater
Arp
Arp Reply ServerClient
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
IDS/IPS devices within Cisco’s portfolio
Cisco IPS 4200Series Sensor
Cisco Catalyst Switchwith IPS Blade
Cisco Routerwith IPS Software
Cisco RouterCisco ASA 5500 Serieswith AIP module
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Network IDS/IPS Components
Network-based sensorsSpecialized software and/or hardware used to collect and analyze network traffic (either in IPS or IDS mode: inline or promiscuous)
Appliances, modules, embedded in network infrastructure (either inline or promiscuous)
Security management and monitoringPerforms configuration and deployment services (Cisco Security Manager)
Performs alert collection, aggregation, and correlation (CS-MARS)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
False Positives Defined
False positive is the term most likely used to indicate an event that was incorrectly reported; it is typically mistakenly applied to a broad group of possible results
False positive: a correctly named false positive is one where the sensor has triggered an alert based on a flawed algorithm or an analysis error; normally a fairly rare eventBenign trigger: the case where a sensor has correctly interpreted network traffic as an attack, but the intentions behind the traffic were not malicious; potentially commonFalse alarms (or noise): the case where a sensor has correctly detected than an event has occurred but the event is non-threatening or not applicable to the site being monitored or was not successful; very likely labeled as a false positive, very common
False negatives is the term used to describe when an IPS misses a real attack or event
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
How to fix the ‘false positive’ issue
Sensor placement (knowing your network)
Cool Cisco features..;-)
Smart management systems
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
BusinessPartnerAccessExtranet
Connections
Corporate NetworkInternet
Internet Connections
Remote Access Systems
Remote/Branch Office Connectivity
IPS/IDS DeploymentWhat Areas of the Network Are Candidates?
Data CenterManagement
Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Flexibility in Deploying IDS/IPSComprehensive Deployment Options
Services Allow a Single Device to Be Deployed in the IDS Mode and the IPS Mode, Simultaneously
HYBRID IDS AND IPS
Public Services Segment
Sensor Deployed in IPS ModeSensor Deployed
in IPS Mode
Sensor Deployed in IPS Mode
Main Campus
Service Provider, Partner, or Branch Office Network
Attacker
Internet
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Coming soon: Virtualized Policies (IPS 6.0)
Flexible Context Definitions: Ability to define virtualized contexts based on physical interface and VLAN groupingsAssignment of Custom Signature / Policy Settings & response actions to each virtualized contextVirtual policy mapping between ASA and AIP
Customized policy on Virtual Policy based on VLAN groupings
VLAN 1
VLAN 2
VLAN 3
VLAN 4Virtualized Context 1
Virtualized Context 2
Virtualized Policy 1:Interface 1 + 2
Virtualized Policy 2:Interface 3 + 4
Customized policy on Virtual Policy based on Interface groupings
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Rating the Risk Allows Users to Confidently Eliminate Malicious Packets Without Dropping
Valid Traffic
Process for Accurate Threat Mitigation:Rating Alarms for Threat Context
Event Severity
Asset Valueof Target
Signature Fidelity
AttackRelevancy
RR (Risk Rating)
+ + +
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Event Severity
Asset Valueof Target
Signature Fidelity
AttackRelevancy
RR (Risk Rating)
+ + +
Alert Severity Defined for the Signature
Process for Accurate Threat Mitigation:Rating Alarms for Threat Context
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Event Severity
Asset Valueof Target
Signature Fidelity
AttackRelevancy
RR (Risk Rating)
+ + +
Signature Fidelity Rating Delivers a Confidence Rating of the Signature’s Accuracy
Process for Accurate Threat Mitigation:Rating Alarms for Threat Context
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Delivering Greater Insight into Relative Criticality of Target Systems through Asset Value
Designation
Process for Accurate Threat Mitigation:Rating Alarms for Threat Context
Event Severity
Asset Valueof Target
Signature Fidelity
AttackRelevancy
RR (Risk Rating)
+ + +
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Event Severity
Asset Valueof Target
Signature Fidelity
AttackRelevancy
RR (Risk Rating)
+ + +
Customizable Risk Rating Thresholds Allow Multiple Automated Event Actions for Each Alarm
Process for Accurate Threat Mitigation:Rating Alarms for Threat Context
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
IP Addressof Endpoint
Virtual Context Where System Was Discovered
Learned OS ofTarget System
Attack Relevancy Defined: OS Identification (coming in IPS 6.0)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
IPS Version 6.0 Anomaly Detection / Network behavioral analysis
Internet
Internal Zone 2
Internal Zone 3
Internal Zone 1
“Illegal” IP addresses
Anomaly detection algorithms to detect and stop Day-Zero threats
False Alarm reduction by learning behavior that is specific to network zones
Auto-learning with dynamic adjustment of AD thresholds
Increased Accuracy through on-box event correlation
Infected Host
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Smart Management: Filter per category in CSM
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Smart management: CS-MARS
Leverage YOUR existing investment to build “pervasive security”Correlate data from across the Enterprise
NIDS, Firewalls, Routers, Switches, CSASyslog, SNMP, RDEP, SDEE, NetFlow, Endpoint event logs
Rapidly locate and mitigate attacks
Key FeaturesDetermines security incidents based on device messages, events, and “sessions”Incidents are topologically aware for visualization and replayMitigation on L2 ports and L3 chokepointsEfficiently scales for real-time use across the Enterprise
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
MARS and reducing false positives
How:
Network based correlation
Manual definition of applications on hosts
Build in Nessus
Integration with VA tools
Discovery
SNMPRead Login
Host Scan
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
You got an alarm…now what?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Logging: Session Capture
Logs traffic associated with a signature trigger (in PCAP format)Generally, only trigger and subsequent packets logged Does impact sensor performanceUsage guidelines:
Tuning: use during sensor tuning for event analysis and subsequent signature tweakingForensics: useful to monitor “critical” signatures/resourcesHandy tip: use with a custom signature to monitor a specific service/server/userDo not log unless you know what you plan to use the log for
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Signature UpdatesMuch like anti-virus, network IPSs must be kept up to date
Cisco has a new home for security information including IPS signatures:
tools.cisco.com/MySDN/Intelligence/home.x
Cisco has developed a new partnership with Trend Micro to provide enhanced virus and worm coverage as part of the normal IPS signature updates
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Fide
lity
of S
igna
ture
Low
High
0
CiscoICS
(OPSig)
4–6+ Hrs.Typical Response Time
Cisco ICS
(OPACL)
CiscoServices for IPS
(Multi-SigDatabase)
15 Min.
Standard ServiceStandard Response Times Broad Vulnerability-Based Coverage
Premium ServiceUnmatched Response Times Outbreak Focused Coverage
90 Min.
OtherCompetitive
Solutions
Cisco-Trend ICS Service
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Enterprise Network
Cisco-Trend ICS Service
Cisco ICS Server
CiscoSwitch
Cisco IPS 4200Series Sensor
Cisco Catalyst Switchwith IPS Blade
Cisco Routerwith IPS Software
Cisco Router
Cisco ASA 5500 Serieswith AIP module
Line Of Defense: Broad Set of Cisco Devices That Can Become Rapid-Response
Mitigation Nodes
Mitigation Measures:Broad Near Real-Time (15 Min.) ACL High Fidelity (90 Min.) Signature
Policy Control: Cisco ICS Server Administers and Delivers Virus and Worm Related Solutions
Outbreak Intelligence:Trendlabs’ Worldwide Real-time Monitoring and Signature Development Infrastructure
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
IOS IPS routers: distributed IPS mitigation
Enables new concept – distributed, in-line IPS for new levels of Threat Defense
Small Division
Small BusinessSmall Satellite Office
Cisco 870
Regional Office
Cisco2800/3800
CorporateOfficeCisco 7x00
Branch/Retail
Cisco 1800
Telecommuter
Cisco 850
Cisco1800/2800
Internet
Enterprise
Service Provider
Central SDF file management
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
Full Control of IPS Signature Tuning
Do not attempt to load all supported signatures on a single routerIOS IPS is designed as a Distributed Mitigationsolution not as a scanner with all signatures loadedSDM and CSM support full tuning of IOS IPS signatures
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Enabling IOS IPS
Available in IOS 12.3.(11)T Security image
aaa new-modelaaa authentication login default local username cisco password 5 cisco
ip ips sdf builtinip ips name IPSRULE1 interface FastEthernet0ip ips IPSRULE1 in
ip http secure-serverip ips notify SDEE
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
Latest Pre-Built Signature Description Files (V6)
Basic Signature Set (128MB.sdf)340 signatures - consume ~15 MB DRAM
Advanced Signature Set (256MB.sdf)572 signatures - consume ~50 MB DRAM
Selected mostly from appliance signatures enabled by default
Very good MetaSploit attack coverage
All signatures use the default parameters (currently alarm-only)
Posted on 8/29/06 at:http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup
Recommended release: 12.4(9)T1 or 12.4(8b)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Impact of Attack Traffic on IOS IPS Performance
Goal: Find CPU impact when IOS IPS is under attack
Nessus v3.0.3 used for generating attack traffic (52 signatures firing)
Configuration: Bi-directional IPS + FW + PAT; 256MB.sdf V5 signature file
Traffic: real world traffic at 9.6 Mbps
Results:
Firewall+PAT+IPS with no attack traffic: 50% CPU
Firewall+PAT+IPS with attack traffic: 57% CPU
Impact of attack traffic on CPU: 7%
G0/1Reflector
Real World Server
Avalanche Real World Client
G0/0
Cisco 3825
Attack
FW+PAT+IPS enabled with 50% CPU
Image: 12.4(9)T
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
Cisco Security Agent
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
Target
123
45
Probe
Penetrate
Persist
Propagate
Paralyze
• Ping addresses• Scan ports• Guess passwords• Guess mail users
• Mail attachments• Buffer overflows• ActiveX controls• Network installs• Compressed messages• Backdoors
• Create new files• Modify existing files• Weaken registry
security settings• Install new services• Register trap doors
• Mail copy of attack• Web connection• IRC• FTP• Infect file shares
• Delete files• Modify files• Drill security hole• Crash computer• Denial of service• Steal secrets
Malicious Behavior
Most damagingChanges very slowlyInspiration for the CSA solution
Rapidly mutatingContinual signatureupdatesInaccurate
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Zero-Day Protection
Cisco defines Host-Based Intrusion Prevention as the ability to stop Zero-Day malicious code without reconfiguration or update.CSA has the industry’s best record of stopping Zero Day exploits, worms, and viruses over past 4 years:
2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner)2002 – Sircam, Debploit, SQL Snake, Bugbear, 2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03-049)2005 – Internet Explorer Command Execution Vulnerability, Zotob
No signatures, reconfiguration or binary updates required
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
Intercepting Operating System Calls
The Cisco Security Agent intercepts application OS calls and invokes an allow/deny response
Interceptors monitor calls for resource access:
File system
Network (inbound/outbound)
Registry
Execution (process creation, library access, executable invocation)
“Zero Update” architecture – behavior based control means you don’t need a new signature to stop the next attack
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Correlation on Manager• Higher accuracy• Fewer “False Negative”
events• Stops attack before it
reaches targets
Example: Distributed “Ping Scans”, Network Worm propagation
Global Correlation
ManagementCenter
Agent
AgentCorrelation on Agent• Higher accuracy• Fewer “False Positive”
events
Cisco Security Agent offers unique agent and management level correlation
Agent
AgentAgent
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
Deployment Example – Data Leakage
1. Create group and attach “Data Leakage” policy
Time
Prot
ectio
n
Packet Tagging
Track data fromkey servers
USB/Removable device restrictions
Clipboard abuse
Location controlBlock
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
Wireless Control Goals
Disable wireless NIC when wired is active
Connection restrictions -certain SSIDs, encryption, ad-hoc
Require VPN connection when out of the office
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Cisco is about integration
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
CSA + IPS Collaborationwith Cisco Network IPS Version 6.0
- Enhanced contextual analysis of endpoint
Service Provider
Management Console
OS = WindowsXP
Elevate Risk RatingDeny 10.1.10.1
- Ability to use CSA inputs to influence IPS actions- Correlation of info. contained in CSA watch list
- Host Quarantining
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
CSA + IPS Collaborationwith Cisco Network IPS Version 6.0
- Enhanced contextual analysis of endpoint
Service Provider
Management Console
CSA Watch List10.1.10.1
Elevate Risk RatingDeny 10.1.10.1
- Ability to use CSA inputs to influence IPS actions- Correlation of info. contained in CSA watch list
- Host Quarantining
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
CSA + IPS Collaborationwith Cisco Network IPS Version 6.0
- Enhanced contextual analysis of endpoint
Service Provider
Management Console
- Ability to use CSA inputs to influence IPS actions- Correlation of info. contained in CSA watch list
Source 10.1.10.2 initiates a port scan destined for internal servers
Port Scan from IP not in Watch List:
Alarm Only
- Host Quarantining
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
Watch List Source 10.1.10.1 initiates a port scan destined for internal servers
CSA + IPS Collaborationwith Cisco Network IPS Version 6.0
- Enhanced contextual analysis of endpoint
Service Provider
Management Console
- Ability to use CSA inputs to influence IPS actions- Correlation of info. contained in CSA watch list
Port Scan from IP on Watch List:Drop Packet
- Host Quarantining