Download - Defense-in-Depth, Part 2: Advanced Intrusion Defense Joel Snyder Opus One [email protected]
A firewall is not just a firewall any more
Firewalls now have “advanced application
intelligence”
• Actually, they had that already, but the
marketroids had to keep themselves busy
Firewalls now are “intrusion prevention
systems”
• Isn’t every firewall an intrusion
prevention system?
Firewalls now do virus scanning, content
scanning, and ironing
Application-layer firewalls are needed to
protect legions of inadequate web
programmers
IDS has been replaced by IPS
• (No, I don’t believe that, I’m just
repeating awful rumors)
Worms now outnumber viruses in
your e-mail by a factor of 20 to 1
Spam represents 50% to 75% of all
e-mail you receive
Key question: Do you need this? Do you need to buy (or
upgrade) to a bigger, smarter,
faster, more capable firewall?
Do you need to buy an IPS?
…an application layer firewall?
…a smarter IDS?
…an SSL VPN device?
Do I want an all-in-one thing?
Do I want individual parts?The answer you’ve been waiting
for… is on the very next slide!
Should I buy a lot of this new security stuff?
And if I do buy this, what kind should I buy?
And where should I put it?And which product should I buy?
Answer: 42
I can’t tell you what is right for your network
I can tell you what
products are out there
and what they are
doing
I can also tell you
what the trends are in
these products
But the hard work
remains yours
So let’s look at what’s happening in the firewall business
March, 2004: Information Security sponsors research on new firewall technologies
Products from Check
Point, Cyberguard,
NetScreen, Nortel
Networks, Symantec,
Secure Computing,
Watchguard
Support from Andy Briney,
Neil Roiter at Information
Security
http://infosecuritymag.techtarget.com/
Firewalls have been around for a very long time
“[AT&T’s gateway creates] a sort of crunchy shell around
a soft, chewy center.”
(Bill Cheswick, Design of a Secure Internet Gateway, April,
1990)
1989 1991 1993 1995 1997 1999 2001 2003 2005
First firewalls deployed in Internet-connected organizations
“Firewalls and Internet Security” published
TIS toolkit commonly available
Cisco buys PIX (Network Translation)
CheckPoint revenues cross $100m
WatchGuard introduces 1st FW appliance
Surely firewall makers have been busy since 1999 ?
Clear market trends
Faster
Cheaper
Smaller
• New Guard:
NetScreen (Juniper),
Watchguard,
SonicWALL
• Old Guard: Cisco,
Check Point
Clear product trends
Add VPN features
• Site-to-site
• Remote Access (?)
Add policy-based URL
control
• Websense-type
Add interfaces
• No longer just inside,
outside, DMZ
Surely, firewall makers have been busy since 1999 ?
Clear market trends
Faster
Cheaper
Smaller
• New Guard:
NetScreen (Juniper),
Watchguard,
SonicWALL
• Old Guard: Cisco,
Check Point
Clear product trends
Add VPN features
• Site-to-site
• Remote Access (?)
Add policy-based URL
control
• Websense-type
Add interfaces
• No longer just
inside, outside, DMZ
Incremental improvements are not very exciting
Smaller, cheaper, faster: that’s great
VPNs, more interfaces: that’s great
But what have you done for me lately?
To answer that, we need to digress to the oldest
battle in all of firewall-dom: proxy versus packet
filter!
Arguments between Proxy and Stateful PF continued
Proxy
More secure because you
can look at application
data stream
More secure because you
have independent TCP
stacks
Stateful PF
Faster to write
Faster to adapt
Faster to run
Faster also means
cheaper
Proxy-based firewalls aren’t dead… just slow!
Proxy
Packet Filtering
Src=10.1.1.99Dst=5.6.7.8
TCP/IP
Src=1.2.3.4Dst=5.6.7.8
Kernel
Inside network = 10.1.1.0/24
Outside net = 1.2.3.4
RTL
Process Space
Firewall Landscape: five years ago
IBM eNetwork
Secure Computing
Altavista Firewall
TIS Gauntlet
Raptor Eagle
Elron
Cyberguard
Ukiah Software
NetGuard
WatchGuard
SonicWALL
Check Point
Livermore Software
Milkyway
Borderware
Global Internet
Stateful Packet Filtering dominates the market
Stateful Packet Filtering
IP
Kernel
Check PointCisco NetScreen SonicWALL
Freeware-based products: Ipchains, IPF, Iptables, IPFW
FW Newcomers:Fortinet, Toshiba, Ingate, ServGate, many others
But… the core argument was never disputed
Proxy-based firewalls do have the possibility to give you
more control because they maintain application-layer
state information
The reality is that proxy-based firewalls rarely went
very far down that path
Why? Market demand, obviously…
Firewall Evolution:What we hoped for…
Additional granular
controls on a wide
variety of applications
Intrusion detection
and prevention
functionality
Vastly improved
centralized
management
systems
More flexible
deployment options
Firewall Evolution:What we found…
Additional granular
controls on some
a wide variety of
applications
Limited intrusion
detection and
prevention
functionality
Vastly improved
centralized
management
systems
More flexible
deployment options
Why? Market demand, obviously…
So what’s going on in the firewall business?
Products are diverging, not converging
Personalities of products are distinct
IPS is a step forward, but not challenging the world of
standalone products
Rate of change of established products is slow
compared to new entries
What does this mean for me and my firewall?
Products are
diverging
Personalities are
distinct
IPS weaker than
standalone
Change rate slow
Matching firewall to policy is
hard; change in application or
policy may mean changing
product!
Aggressive adoption of new
features unlikely in popular
products; need new blood to
overcome product inertia
Are Intrusion Detection Systems dead?
http://infosecuritymag.techtarget.com/
Massive Support from Marty Roesch, Ron Gula, Robert Graham
Products from ISS, Cisco, and Tenable
Cash and Prizes from Andy Briney and Neil Roiter
This is an IDS alert…
IDS saw a packet
aimed at a protected
system
IDS magic decoder
technology correctly
identifies this as
“Back Orifice!”
This IDS alert ain’t no good
Last time I checked, FreeBSD 4.9 was not one of the
supported platforms for BackOrifice…
Please don’t call that a false positive
IDS developers will
jump down your
throat
“False Positive”
means the IDS cried
wolf when there was
no such attack
• Usually the result
of poorly written
signatures
Instead, let’s
invent a complex
multisyllable
term:
“non-contextual
alert”
The IDS lacks “context”
IF the IDS knew that
the destination
system was not
running Windows…
IF the IDS knew that
the destination
system was not
running Back Orifice…
IF the IDS knew that
there was no such
destination system…
IF the IDS knew that
the destination
system was more
hops away then TTL
allowed…
IF IF IF the IDS knew more…
THEN the IDS could tell the IDS operator more
about this attack
Ron Gula (Tenable) says that alerts are “raw
intelligence.” They are data, but are not
information yet.
We need to turn them into “well-qualified
intelligence” to start a war.
Roesch: “Target-Based IDS”
Target-based IDS
Sensor• The sensor has knowledge
about the network
• The sensor has knowledge
about the hosts
Target-based
Event Correlation• The output of the
sensor is compared
to knowledge of
vulnerabilities
Target-based IDS has two components
Start with a normal IDS…
1. IDS sensors generate
enormous dinosaur-sized
piles of alerts;
alerts are sent to the IDS
console
2. Operator gets enormous
dinosaur-sized headache
looking at hundreds of
thousands of alerts… and add brains!
Brains=knowledge + process
Knowledge
Somehow figure out lots
of information about
• What systems are out
there
• What software they
are running
• What attacks they
are vulnerable to
Process
Evaluate each alert
with the additional
contextual knowledge
and decide
• To promote the alert
• To demote the alert
• That we don’t know
Can this quiet my IDS down?
It could…
But none of the
products I looked at
have a feedback loop
to the IDS!
Why don’t the
scanners tell the IDS
what ports to look on?
Why don’t the
scanners tell the IDS
what signatures to
ignore?
Is this right for you?
YES! “I already have an IDS
and I care about the alerts and I need some way to help prioritize them because I am drowning in alerts!”
“I need to get an IDS for alerts but don’t have the manpower to analyze the alerts.”
NO! “If I get this, my IDS will
be a self-tuning smooth-running no-maintenance machine.”
“I have no network security policy which says what to do when an alert occurs.”