170 likes | 189 Views
This presentation provides an overview of common detection and protection technologies for mitigating IS threats, including securing the perimeter, intrusion detection, intrusion prevention, and the new perimeter.
E N D
Common IS Threat Mitigation StrategiesAn overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com
Common IS Threat Mitigation Strategies: An overview of common detection and protection technologies AGENDA • Intro • Securing the Perimeter • Intrusion Detection • Intrusion Prevention • The New Perimeter • Q & A
A risk management approach to security WHY MITIGATE? • Modern networks are complex systems • Each node has specific security characteristics • Nodes interact with each other • Subject to constant change (business driven) • Security as an emergent characteristic • Focus on risk • 100% bulletproof is an utopian dream • As countermeasures and protection mechanisms evolve, attacks evolve too
Friends in, Foes out. Defining and securing the network perimeter SECURING THE PERIMETER
SYN | port 80 SYN | ACK | ISN# 2222 ACK #2222 | port 80 | data ACK#bbbb| data Packet filters can control which packets are allowed to get through the firewall and which are not PACKET FILTERS • Packet filter • Rules based on individual packets • Real fast • Most popular routers incorporate this functionality • Stateful packet filter • Rules can refer to established sessions or flows • Very fast • Most modern firewalls are stateful
HTTP Response BLOCKED! HTTP GET /index.html HTTP GET /index.html HTTP Response HTTP GET /null.printer Application layer firewalls provide a more granular control of networked applications and services APPLICATION LAYER FIREWALLS • Police traffic at the application layer • Pros • Rules refer to specific services • Can spot protocol deviations and abuses • Very granular control on protocol specifics (deny FTP anonymous login, disable unused SMTP commands, block “ ‘ “ in HTTP form fields) • Cons • Resource intensive • Tough to keep up with app-layer protocols
Dividing the network in different physical segments has many advantages NETWORK SEGMENTATION • Assigning trust to network segments • Pros • Reduces “attack surface” at many levels • Contains or limits successful intrusions • Provides control and audit capabilities for internal traffic • Cons • Tough to configure and manage if the network is very dynamic • Strict performance requirements
A classic segmentation example: the DMZ NETWORK SEGMENTATION (2)
Intrusion Detection Systems passively monitor the network’s operation for attacks and anomalies INTRUSION DETECTION • Monitor the network for security events • Intrusion attempts • Successful attacks • Anomalies • Forensics • Network audit trail • Internally deployed • Detect anomalies within the perimeter • Externally deployed • Measure threat (?)
There are many different IDS technologies being developed today INTRUSION DETECTION STRATEGIES • Signature based • Watches for known attacks (signatures) • Can detect some well defined anomalies • Anomaly • Watches for anomalies (not known attacks) • Self learned (adapts to the network) / Programmed (follows defined rules) • Host based • Sensor sits in monitored host • Network based • Sensor sits on network • Hybrids
Each one of these technologies has limitations INTRUSION DETECTION LIMITATIONS • Signature based • Can only detect known attacks (sometimes only specific attack incarnations) • Must be constantly updated • Anomaly • Cannot easily absorb change • Some attacks are hard to separate from legitimate traffic • Host based • Requires widespread deployment of sensor/agent (hard to manage / expensive) • Introduces complexity into end-systems • Network based • Vulnerable to differences in TCP/IP implementations
Intrusion Prevention generates and active response to intrusion events INTRUSION PREVENTION • Responds actively to security events • Terminates network connections • Communicates with the firewall / switch to disconnect / block attacker • Terminates compromised process • Pros • Doesn’t require human attention (?) • Can preemptively block known intrusion attempts • Cons • Doesn’t require human attention (!) • Can block legitimate use • Can be turned into a DoS (remember spoofing)
Several different intrusion prevention strategies at the host level are being developed HOST IPS • Code injection protection / mitigation • Non executable stack (Sun Solaris) • Non writeable code segment, non executable everything else (OpenBSD, Linux w/GR Security, Windows XP sp2 w/AMD64) • Address randomization (OpenBSD, GR Security) • Containment • Chroot jails (POSIX) • System call policing, systrace (OpenBSD, NetBSD) • Privilege separation (OpenBSD)
The concept of a network perimeter is coming to an end THE NEW PERIMETER • Peer 2 Peer • HTTP tunneling • SSL • Instant messaging • Rich e-mail clients
Personal firewalls bring packet filtering to the workstation PERSONAL FIREWALLS • Polices traffic coming in and going out the workstations • Adds the application dimension to the rules • Dynamically configurable • Starts to borrow capabilities from IPS
Thank You! Maximiliano Caceres | max@coresecurity.com http://www.coresecurity.com