first line of defense intrusion prevention system stephen gates – cissp [email protected]...
TRANSCRIPT
FIRST LINE OF DEFENSE
Intrusion Prevention System
Stephen Gates – [email protected]
Hoàng Thế Long – 13320795Nguyễn Thái Bình - 13320785
Sans Institute Top 10 Cyber Threats for 2013
1. Increasingly sophisticated website attacks that exploit browser vulnerabilities2. Increasing sophistication and effectiveness in botnets 3. Cyber espionage efforts by well-resourced organizations to extract large
amounts of data for economic and political purposes 4. Mobile phone threats, especially against iPhones, Google's Android phones,
and voice over IP systems 5. Insider attacks 6. Advanced identity theft from persistent bots 7. Increasingly malicious spyware 8. Web application security exploits 9. Increasingly sophisticated social engineering to provoke insecure behavior 10. Supply chain attacks that infect consumer devices
Source :SANS Institute
What is an IPS?
Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.
Source :Principles of Information Security – Michael E. Whitman, Herbert J. Mattord
5
1. To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system
2. To detect attacks and other security violations that are not prevented by other security measures
3. To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities)
4. To document the existing threat to an organization
5. To act as quality control for security design and administration, especially in large and complex enterprises
6. To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors
Why use an IDPS (cont.)?
6
Best Reason– One of the best reasons to install an IDPS is that they serve
as deterrents by increasing the fear of detection among would-be attackers. If internal and external users know that an organization has an intrusion detection and prevention system, they are less likely to probe or attempt to compromise it, just as criminals are much less likely to break into a house that has an apparent burglar alarm.
Why use an IDPS (cont.)?
Type of IDPS
Network - based IDPS (NIDPS)– monitors the entire network for suspicious traffic by analyzing
protocol activity• Wireless IDPS• Network Behavior Analysis System (NBA)
Host -based IDPS (HIDPS)– an installed software package which monitors a single host for
suspicious activity by analyzing events occurring within that host.
9
IPDS Detection Methods
1. The signature-based approach
2. The statistical-anomaly approach
3. The stateful packet inspection approach
10
IPDS Response Options
Audible/visual alarm
E-mail message
Page or phone message
Log entry
Evidentiary packet dump
Take action against the intruder
Launch program
Reconfigure firewall
Terminal Session
Terminate connection
11
Strengths of IDPS
Monitoring and analysis of system events and user behaviors
Testing the security states of system configurations
Baselining the security state of a system, then tracking any changes to that baseline
Recognizing patterns of system events that correspond to known attacks
Recognizing patterns of activity that statistically vary from normal activity
Managing operating system audit and logging mechanisms and the data they generate
Alerting appropriate staff by appropriate means when attacks are detected
Measuring enforcement of security policies encoded in the analysis engine
Providing default information security policies
Allowing non-security experts to perform important security monitoring functions
12
Limitations of IDPSCompensating for weak or missing security mechanisms in the protection infrastructure,such as firewalls, identification and authentication systems, link encryption systems,access control mechanisms, and virus detection and eradication software
Instantaneously detecting, reporting, and responding to an attack when there is a heavy network or processing load
Detecting newly published attacks or variants of existing attacks
Effectively responding to attacks launched by sophisticated attackers
Automatically investigating attacks without human intervention
Resisting all attacks that are intended to defeat or circumvent them
Compensating for problems with the fidelity of information sources
Dealing effectively with switched networks
13
Others
Reporting and Archiving Capabilities
Failsafe Considerations for IDPS Reponses
Selecting IDPS Approaches and Products
Organizational Requirements and Contraints
IDPS Product Features and Quality
Typical Network Topology
FirewallServers and Applications
SW
IT Infrastructure
Customer Traffic Customer TrafficCustomer Traffic
Assumption: Customer Traffic Flowing Through As Expected
“Good Users”
Internet’s No-Man’s Land
Router
What’s Firewall UTM limitation
FirewallServers and Applications
SW
IT Infrastructure
“Good Users”
Internet’s No-Man’s
Land
“Attackers”
Router
-Should I restrict access?
-Static restrict access based on source IP is impossible, there’re billion of IP out there
-At what rate can traffic enter my network?
-Policy based static rate limited without analysis the application and user’s behaviour is impossible, it’s easy to drop good traffic at the same time
- FW UTM has not enough insufficient resources to deal with DDoS attack
What’s else Firewall UTM can not do?
FirewallServers and Applications
SW
IT Infrastructure
“Good Users”
Internet’s No-Man’s
Land
“Attackers”
Router
-Bi-direction traffic inspection
-FW inspection the incoming traffic, how about return traffic from App Servers?
-How many applications/OS/BYOD are running in our company? Does Firewall UTM know about them?
-FW UTM has limited signature of Application and OS (no BYOD database), unknow traffic match FW policy are still pass through
Customer Traffic Customer Traffic
Firewall system
overload
DDoS Attacks
Protocol Abuse
Undesired Users & Service SW
SW
IT Infrastructure
SW
Server-Side Exploits
Customer Traffic
“Good Users”
Internet’s No-Man’s Land
“Attackers”
Router
Unwanted Traffic
Servers and Applications
Without IPS
Firewall system
IPDS
“Good Users”
“Attackers”
Undesired Users & Services
DDoS Attacks
Protocol Abuse
Server-Side Exploits
SW
SW
SW
SW
SW
SW“Good Users”
Internet’s No-Man’s Land
“Attackers”
Router
Foiled Attackers
Satisfied Customers
Customer Traffic Customer TrafficCustomer Traffic
IT Infrastructure
Servers and Applications
With IPS
IPDS Boongke
Centralized Management & ReportingCorero Security Operations Center SecureWatch
Excerpts of SecureWatch Reports
22