Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Slides:



Advertisements
Similar presentations
DMZ (De-Militarized Zone)
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
FIREWALLS Chapter 11.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Firewalls.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Lecture 25: Firewalls Introduce several types of firewalls
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World
Computer Security Prevention and detection of unauthorized actions by users of a computer system Confidentiality Integrity Availability.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Department Of Computer Engineering
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Intranet, Extranet, Firewall. Intranet and Extranet.
Sales Kickoff - ARCserve
TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
CCI through Firewall TNG 2.4 Updated April 16, 2002.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
COEN 252 Computer Forensics
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.
Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Internet and Intranet Fundamentals Class 9 Session A.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
CHAPTER 10 Session Hijacking. INTRODUCTION The act of taking over a connection of some sort, for examples, network connection, a modem connection or other.
FORESEC Academy FORESEC Academy Security Essentials (III)
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Security fundamentals Topic 10 Securing the network perimeter.
© ITT Educational Services, Inc. All rights reserved.Page 1 IS3220 Information Technology Infrastructure Security Class Agenda 1  Learning Objectives.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 4 Network Security Tools and Techniques.
IS3220 Information Technology Infrastructure Security
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Defining Network Infrastructure and Network Security Lesson 8.
Security fundamentals
CompTIA Security+ Study Guide (SY0-401)
Firewalls.
Domain 4 – Communication and Network Security
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
CompTIA Security+ Study Guide (SY0-401)
Firewalls Purpose of a Firewall Characteristic of a firewall
CORE Security Technologies
Lecture 2: Overview of TCP/IP protocol
Firewalls.
Introduction to Network Security
Presentation transcript:

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies

Common IS Threat Mitigation Strategies: An overview of common detection and protection technologies  Intro  Securing the Perimeter  Intrusion Detection  Intrusion Prevention  The New Perimeter  Q & A AGENDA

A risk management approach to security  Modern networks are complex systems – Each node has specific security characteristics – Nodes interact with each other – Subject to constant change (business driven)  Security as an emergent characteristic  Focus on risk – 100% bulletproof is an utopian dream – As countermeasures and protection mechanisms evolve, attacks evolve too WHY MITIGATE?

Friends in, Foes out. Defining and securing the network perimeter SECURING THE PERIMETER

Packet filters can control which packets are allowed to get through the firewall and which are not  Packet filter – Rules based on individual packets – Real fast – Most popular routers incorporate this functionality  Stateful packet filter – Rules can refer to established sessions or flows – Very fast – Most modern firewalls are stateful PACKET FILTERS SYN | port 80 SYN | ACK | ISN# 2222 ACK #2222 | port 80 | data ACK #bbbb| data

Application layer firewalls provide a more granular control of networked applications and services  Police traffic at the application layer  Pros – Rules refer to specific services – Can spot protocol deviations and abuses – Very granular control on protocol specifics (deny FTP anonymous login, disable unused SMTP commands, block “ ‘ “ in HTTP form fields)  Cons – Resource intensive – Tough to keep up with app-layer protocols APPLICATION LAYER FIREWALLS HTTP GET /index.htmlHTTP GET /null.printerHTTP Response HTTP GET /index.htmlBLOCKED!

Dividing the network in different physical segments has many advantages  Assigning trust to network segments  Pros – Reduces “attack surface” at many levels – Contains or limits successful intrusions – Provides control and audit capabilities for internal traffic  Cons – Tough to configure and manage if the network is very dynamic – Strict performance requirements NETWORK SEGMENTATION

A classic segmentation example: the DMZ NETWORK SEGMENTATION (2)

Intrusion Detection Systems passively monitor the network’s operation for attacks and anomalies  Monitor the network for security events – Intrusion attempts – Successful attacks – Anomalies  Forensics – Network audit trail  Internally deployed – Detect anomalies within the perimeter  Externally deployed – Measure threat (?) INTRUSION DETECTION

There are many different IDS technologies being developed today  Signature based – Watches for known attacks (signatures) – Can detect some well defined anomalies  Anomaly – Watches for anomalies (not known attacks) – Self learned (adapts to the network) / Programmed (follows defined rules)  Host based – Sensor sits in monitored host  Network based – Sensor sits on network  Hybrids INTRUSION DETECTION STRATEGIES

Each one of these technologies has limitations  Signature based – Can only detect known attacks (sometimes only specific attack incarnations) – Must be constantly updated  Anomaly – Cannot easily absorb change – Some attacks are hard to separate from legitimate traffic  Host based – Requires widespread deployment of sensor/agent (hard to manage / expensive) – Introduces complexity into end-systems  Network based – Vulnerable to differences in TCP/IP implementations INTRUSION DETECTION LIMITATIONS

Intrusion Prevention generates and active response to intrusion events  Responds actively to security events – Terminates network connections – Communicates with the firewall / switch to disconnect / block attacker – Terminates compromised process  Pros – Doesn’t require human attention (?) – Can preemptively block known intrusion attempts  Cons – Doesn’t require human attention (!) – Can block legitimate use – Can be turned into a DoS (remember spoofing) INTRUSION PREVENTION

Several different intrusion prevention strategies at the host level are being developed  Code injection protection / mitigation – Non executable stack (Sun Solaris) – Non writeable code segment, non executable everything else (OpenBSD, Linux w/GR Security, Windows XP sp2 w/AMD64) – Address randomization (OpenBSD, GR Security)  Containment – Chroot jails (POSIX) – System call policing, systrace (OpenBSD, NetBSD) – Privilege separation (OpenBSD) HOST IPS

The concept of a network perimeter is coming to an end  Peer 2 Peer  HTTP tunneling – SSL  Instant messaging  Rich clients THE NEW PERIMETER

Personal firewalls bring packet filtering to the workstation  Polices traffic coming in and going out the workstations  Adds the application dimension to the rules  Dynamically configurable  Starts to borrow capabilities from IPS PERSONAL FIREWALLS

Q & A

Thank You! Maximiliano Caceres |