Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
Common IS Threat Mitigation Strategies: An overview of common detection and protection technologies Intro Securing the Perimeter Intrusion Detection Intrusion Prevention The New Perimeter Q & A AGENDA
A risk management approach to security Modern networks are complex systems – Each node has specific security characteristics – Nodes interact with each other – Subject to constant change (business driven) Security as an emergent characteristic Focus on risk – 100% bulletproof is an utopian dream – As countermeasures and protection mechanisms evolve, attacks evolve too WHY MITIGATE?
Friends in, Foes out. Defining and securing the network perimeter SECURING THE PERIMETER
Packet filters can control which packets are allowed to get through the firewall and which are not Packet filter – Rules based on individual packets – Real fast – Most popular routers incorporate this functionality Stateful packet filter – Rules can refer to established sessions or flows – Very fast – Most modern firewalls are stateful PACKET FILTERS SYN | port 80 SYN | ACK | ISN# 2222 ACK #2222 | port 80 | data ACK #bbbb| data
Application layer firewalls provide a more granular control of networked applications and services Police traffic at the application layer Pros – Rules refer to specific services – Can spot protocol deviations and abuses – Very granular control on protocol specifics (deny FTP anonymous login, disable unused SMTP commands, block “ ‘ “ in HTTP form fields) Cons – Resource intensive – Tough to keep up with app-layer protocols APPLICATION LAYER FIREWALLS HTTP GET /index.htmlHTTP GET /null.printerHTTP Response HTTP GET /index.htmlBLOCKED!
Dividing the network in different physical segments has many advantages Assigning trust to network segments Pros – Reduces “attack surface” at many levels – Contains or limits successful intrusions – Provides control and audit capabilities for internal traffic Cons – Tough to configure and manage if the network is very dynamic – Strict performance requirements NETWORK SEGMENTATION
A classic segmentation example: the DMZ NETWORK SEGMENTATION (2)
Intrusion Detection Systems passively monitor the network’s operation for attacks and anomalies Monitor the network for security events – Intrusion attempts – Successful attacks – Anomalies Forensics – Network audit trail Internally deployed – Detect anomalies within the perimeter Externally deployed – Measure threat (?) INTRUSION DETECTION
There are many different IDS technologies being developed today Signature based – Watches for known attacks (signatures) – Can detect some well defined anomalies Anomaly – Watches for anomalies (not known attacks) – Self learned (adapts to the network) / Programmed (follows defined rules) Host based – Sensor sits in monitored host Network based – Sensor sits on network Hybrids INTRUSION DETECTION STRATEGIES
Each one of these technologies has limitations Signature based – Can only detect known attacks (sometimes only specific attack incarnations) – Must be constantly updated Anomaly – Cannot easily absorb change – Some attacks are hard to separate from legitimate traffic Host based – Requires widespread deployment of sensor/agent (hard to manage / expensive) – Introduces complexity into end-systems Network based – Vulnerable to differences in TCP/IP implementations INTRUSION DETECTION LIMITATIONS
Intrusion Prevention generates and active response to intrusion events Responds actively to security events – Terminates network connections – Communicates with the firewall / switch to disconnect / block attacker – Terminates compromised process Pros – Doesn’t require human attention (?) – Can preemptively block known intrusion attempts Cons – Doesn’t require human attention (!) – Can block legitimate use – Can be turned into a DoS (remember spoofing) INTRUSION PREVENTION
Several different intrusion prevention strategies at the host level are being developed Code injection protection / mitigation – Non executable stack (Sun Solaris) – Non writeable code segment, non executable everything else (OpenBSD, Linux w/GR Security, Windows XP sp2 w/AMD64) – Address randomization (OpenBSD, GR Security) Containment – Chroot jails (POSIX) – System call policing, systrace (OpenBSD, NetBSD) – Privilege separation (OpenBSD) HOST IPS
The concept of a network perimeter is coming to an end Peer 2 Peer HTTP tunneling – SSL Instant messaging Rich clients THE NEW PERIMETER
Personal firewalls bring packet filtering to the workstation Polices traffic coming in and going out the workstations Adds the application dimension to the rules Dynamically configurable Starts to borrow capabilities from IPS PERSONAL FIREWALLS
Q & A
Thank You! Maximiliano Caceres |