Common IS Threat Mitigation Strategies An overview of common detection and protection technologies...
-
date post
15-Jan-2016 -
Category
Documents
-
view
214 -
download
0
Transcript of Common IS Threat Mitigation Strategies An overview of common detection and protection technologies...
![Page 1: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/1.jpg)
Common IS Threat Mitigation Strategies
An overview of common detection and protection technologies
Max CaceresCORE Security Technologies
www.coresecurity.com
![Page 2: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/2.jpg)
Common IS Threat Mitigation Strategies: An overview of common detection and protection technologies
Intro
Securing the Perimeter
Intrusion Detection
Intrusion Prevention
The New Perimeter
Q & A
AGENDA
![Page 3: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/3.jpg)
A risk management approach to security
Modern networks are complex systems– Each node has specific security characteristics– Nodes interact with each other– Subject to constant change (business driven)
Security as an emergent characteristic
Focus on risk– 100% bulletproof is an utopian dream– As countermeasures and protection mechanisms evolve, attacks evolve too
WHY MITIGATE?
![Page 4: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/4.jpg)
Friends in, Foes out. Defining and securing the network perimeter
SECURING THE PERIMETER
attacker
attacker
attacker
attacker
internet
attacker
Firewall
Corporate
![Page 5: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/5.jpg)
Packet filters can control which packets are allowed to get through the firewall and which are not
Packet filter– Rules based on individual packets– Real fast– Most popular routers incorporate
this functionality
Stateful packet filter– Rules can refer to established
sessions or flows– Very fast– Most modern firewalls are stateful
PACKET FILTERS
client server
SYN | port 80
SYN | ACK | ISN# 2222
ACK #2222 | port 80 | data
ACK #bbbb| data
Firewall
![Page 6: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/6.jpg)
Application layer firewalls provide a more granular control of networked applications and services
Police traffic at the application layer
Pros– Rules refer to specific services– Can spot protocol deviations and abuses– Very granular control on protocol specifics (deny FTP anonymous login, disable
unused SMTP commands, block “ ‘ “ in HTTP form fields)
Cons– Resource intensive– Tough to keep up with app-layer protocols
APPLICATION LAYER FIREWALLS
Server
clientFirewall
HTTP GET /index.htmlHTTP GET /null.printerHTTP Response HTTP ResponseHTTP GET /index.htmlBLOCKED!
![Page 7: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/7.jpg)
Dividing the network in different physical segments has many advantages
Assigning trust to network segments
Pros– Reduces “attack surface” at many levels– Contains or limits successful intrusions– Provides control and audit capabilities for internal traffic
Cons– Tough to configure and manage if the network is very dynamic– Strict performance requirements
NETWORK SEGMENTATION
![Page 8: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/8.jpg)
A classic segmentation example: the DMZ
NETWORK SEGMENTATION (2)
workstation
Server Server Server
client
Router
Firewall
Backend server
client
client
workstation
workstation
![Page 9: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/9.jpg)
Intrusion Detection Systems passively monitor the network’s operation for attacks and anomalies
Monitor the network for security events– Intrusion attempts– Successful attacks– Anomalies
Forensics– Network audit trail
Internally deployed– Detect anomalies within the perimeter
Externally deployed– Measure threat (?)
INTRUSION DETECTION
![Page 10: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/10.jpg)
There are many different IDS technologies being developed today
Signature based– Watches for known attacks (signatures)– Can detect some well defined anomalies
Anomaly– Watches for anomalies (not known attacks)– Self learned (adapts to the network) / Programmed (follows defined rules)
Host based– Sensor sits in monitored host
Network based– Sensor sits on network
Hybrids
INTRUSION DETECTION STRATEGIES
![Page 11: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/11.jpg)
Each one of these technologies has limitations
Signature based– Can only detect known attacks (sometimes only specific attack incarnations)– Must be constantly updated
Anomaly– Cannot easily absorb change– Some attacks are hard to separate from legitimate traffic
Host based– Requires widespread deployment of sensor/agent (hard to manage / expensive)– Introduces complexity into end-systems
Network based– Vulnerable to differences in TCP/IP implementations
INTRUSION DETECTION LIMITATIONS
![Page 12: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/12.jpg)
Intrusion Prevention generates and active response to intrusion events
Responds actively to security events– Terminates network connections– Communicates with the firewall / switch to disconnect / block attacker– Terminates compromised process
Pros– Doesn’t require human attention (?)– Can preemptively block known intrusion attempts
Cons– Doesn’t require human attention (!)– Can block legitimate use– Can be turned into a DoS (remember spoofing)
INTRUSION PREVENTION
![Page 13: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/13.jpg)
Several different intrusion prevention strategies at the host level are being developed
Code injection protection / mitigation– Non executable stack (Sun Solaris)– Non writeable code segment, non executable everything else (OpenBSD, Linux
w/GR Security, Windows XP sp2 w/AMD64)– Address randomization (OpenBSD, GR Security)
Containment– Chroot jails (POSIX)– System call policing, systrace (OpenBSD, NetBSD)– Privilege separation (OpenBSD)
HOST IPS
![Page 14: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/14.jpg)
The concept of a network perimeter is coming to an end
Peer 2 Peer
HTTP tunneling– SSL
Instant messaging
Rich e-mail clients
THE NEW PERIMETER
client
workstation
attacker
workstation
![Page 15: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/15.jpg)
Personal firewalls bring packet filtering to the workstation
Polices traffic coming in and going out the workstations
Adds the application dimension to the rules
Dynamically configurable
Starts to borrow capabilities from IPS
PERSONAL FIREWALLS
![Page 16: Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies .](https://reader036.fdocuments.in/reader036/viewer/2022070412/56649d3e5503460f94a16bf0/html5/thumbnails/16.jpg)
Q & A