1 SANS Technology Institute - Candidate for Master of Science Degree 1 Intrusion Detection & Response: Leveraging Next-Generation Firewalls Ahmed Abdel-Aziz.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Course 201 – Administration, Content Inspection and SSL VPN Filtering
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
AVG Internet Security 7.5 Product presentation.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.
Firewalls and Intrusion Detection Systems
Chapter 7 HARDENING SERVERS.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall
Course 201 – Administration, Content Inspection and SSL VPN
Host Intrusion Prevention Systems & Beyond
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Department Of Computer Engineering
TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Managing Client Access
Course 201 – Administration, Content Inspection and SSL VPN
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Barracuda Load Balancer Server Availability and Scalability.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
ProtectionProfiles. 2 Fortinet Technologies Protection Profiles Protection profiles control t the type of traffic protected t HTTP t FTP t IMAP t POP3.
Securing Microsoft® Exchange Server 2010
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Chapter 6: Packet Filtering
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
BUSINESS B1 Information Security.
Web Application Firewall (WAF) RSA ® Conference 2013.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 6 Planning and Deploying Messaging Security.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
1 Managed Premises Firewall. 2 Typical Business IT Security Challenges How do I protect all my locations from malicious intruders and malware? How can.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.
Internet Security and Firewall Design Chapter 32.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Module 10: Windows Firewall and Caching Fundamentals.
Role Of Network IDS in Network Perimeter Defense.
IS3220 Information Technology Infrastructure Security
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Final Project: Advanced Security Blade IPS and DLP blades.
Security fundamentals
Final Project: Advanced security blade
TMG Client Protection 6NPS – Session 7.
Securing the Network Perimeter with ISA 2004
Firewalls Jiang Long Spring 2002.
Comodo Dome Data Protection
Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Intrusion Detection & Response: Leveraging Next-Generation Firewalls Ahmed Abdel-Aziz November 2009 GIAC (GCIA, GCIH, GSNA, GCUX, GWAPT) CISSP

SANS Technology Institute - Candidate for Master of Science Degree 2 Objective 1) Describe Recent Threat Trends & Security Statistics 2) What are Next-Generation Firewalls (NGFWs) 3) How to Leverage NGFWs in Intrusion Detection NGFWs in Bot Detection & Extrusion Detection 4) How to Leverage NGFWs in Intrusion Response NGFWs in Incident Handling, NAC, and Application Enforcement 5) Important Planning Considerations

SANS Technology Institute - Candidate for Master of Science Degree 3 Threat Trends & Security Statistics Bots Increasing - Trojan variants spiked 300% from 2007 to 08 [source: McAfee Virtual Criminology Report, 2008] Compromise Discovery takes at least months, 65% of the time Responding to Compromise takes at least weeks, 63% of the time [source: Verizon Business, 2008 Data Breach Investigations Report] NGFWs Can Significantly Reduce Compromise Discovery (specifically Bot detection) & Response Times. Section 1 of 5

SANS Technology Institute - Candidate for Master of Science Degree 4 NGFWs – The Evolution NGFWs Incorporate Multiple Security Services NGFWs Not a Solution to Every Problem: (examples) –Use WAF for web application attacks (XSS, SQL Injection, etc.) –Use dedicated security solution for advanced spam filtering Firewalls Typically a Prevention Control; NGFWs Can Also Become a Detection & Reactive Control –More Effective, Simpler, and Economical Security Section 2 of 5

SANS Technology Institute - Candidate for Master of Science Degree 5 NGFWs in Bot Detection What Bots Do: –Steal Sensitive Info –Send Spam, Act as Proxy –Execute DDOS & Other Attacks Bot Detection Techniques: (1) Detection by Using NIPS Component of NGFW –NIPS Blocks Attacks Originating from Internal Bots –NIPS Cuts Communication Between Bot & its Command-and- Control (C&C) Server using Known Traffic Signatures (Popular Bots Only, Unencrypted Communication Only)  Section 3 of 5 (Intrusion Detection)

SANS Technology Institute - Candidate for Master of Science Degree 6 (2) Detection by Blocking Protocol Used in Command- and-Control (C&C) –Stop Storm Bot Updates by Blocking eDonkey P2P Protocol –Configured in Fortinet Technology using a Protection Profile (3) Detection by Logging Violations & Audit Trail –Add Explicit Deny Rule at End of Firewall Policy for Logging –Tighten Outgoing Firewall Policy Too – Not Just Incoming –Network Audit Trail for Traffic Flow Analysis – Anomalies?? (Malware Can be Detected Without Antivirus, Interesting!!) Section 3 of 5 (Intrusion Detection) NGFWs in Bot Detection Continued

SANS Technology Institute - Candidate for Master of Science Degree 7 (4) Detection by Filtering Malicious Content in Traffic –Leverage Perimeter Antimalware, Antispam, URL Filtering –Configured in Fortinet Technology Using a Protection Profile –Use SSL Inspection for Network Encrypted Protocols: HTTPS, SMTPS, POPS, IMAPS (5) Detection Using DNS Based Techniques –High Number of MX DNS Requests From Non SMTP Server –Same DNS Request From Many Internal Hosts At Same Time –Very Small TTL Values in DNS Replies (FastFlux) (What’s in Common? ….. DNS Anomalous Traffic) Section 3 of 5 (Intrusion Detection) NGFWs in Bot Detection Continued

SANS Technology Institute - Candidate for Master of Science Degree 8 Basic Data Leakage Prevention –Prevent Confidential Documents Leakage Through HTTP –Achieved by Defining Watermark & Creating Custom IPS Rule –Sample Rule for Fortinet NGFW Below: config ips custom edit DataLeakageThroughHTTP set signature 'F-SBID(--name “DLP” --dst_port 80; --flow bi- direction; --default_action DROP; --protocol tcp; --pattern “Organization Confidential X!kltsrodm*(&!sldrk4#dk-+”; )' end Other Rules Can be Used to Detect Credit Card Numbers using Regular Expressions Section 3 of 5 (Intrusion Detection) NGFWs in Extrusion Detection

SANS Technology Institute - Candidate for Master of Science Degree 9 Security Incident Took Place While On-site (Process Proved Effective in Responding to Spambot) (1) Identification Phase – Incident Handling Process –Users Suddenly Unable to Send to Any Destination –nslookup & telnet to Send , SMTP Connection Rejected –Public IP Blacklisted as Spam Sender –Sudden Spike in Activity, Spambot on the Network NGFWs in Incident Handling Section 4 of 5 (Intrusion Response)

SANS Technology Institute - Candidate for Master of Science Degree 10 NGFWs in Incident Handling Continued (2) Containment Phase – Incident Handling Process –Block All Outgoing TCP/25 Except from Mail Server –Spambots on Network Unable to Send More Spam, Damage Already Done (Public IP has been Blacklisted) (3) Eradication Phase – Incident Handling Process –Goal: Remove Attacker’s Artifacts –Spambots Detected by Logging Violations to TCP/25 Rule Configured in Containment  12 Spambots Detected! –Eradication Needs Time, Disconnect Bots, Move to Recovery Section 4 of 5 (Intrusion Response)

SANS Technology Institute - Candidate for Master of Science Degree 11 NGFWs in Incident Handling Continued Section 4 of 5 (Intrusion Response) (4) Recovery Phase – Incident Handling Process Action 1: (Change Mail Server Blacklisted Public IP) –In Fortinet Technology, Feature is Called IP Pools –Effect on Outgoing Mail Traffic Only, Otherwise DNS MX Record Must be Changed Action 2: (Remove Public IP from Blacklists) –Get Blacklists from MXtoolbox.com – Request Removal of IP (5) Lessons Learned Phase – Incident Handling Process –Duration from Identification to Recovery – Only one Hour!! –Compare to Typical Intrusion Response Time of Weeks Source: Verizon Business, 2008 Data Breach Investigations Report

SANS Technology Institute - Candidate for Master of Science Degree 12 Pre-Admission Network Access Control in NGFW –Checks for Existing, Running & Updated Endpoint Security Solution (Isolate Hosts with Compromised Endpoint Security Solution) –Pre-build Application White-list & Enable On-Demand (Isolate Hosts with Unknown Applications Installed) Post Admission Network Access Control in NGFW –Isolate Hosts that Originate Attacks Detected by NIPS –Isolate Virus Senders Detected by Antimalware –Isolate Hosts Violating Configured DLP Rules Allows Very Fast Response Time (Self DOS Potential) Section 4 of 5 (Intrusion Response) NGFWs in Network Access Control

SANS Technology Institute - Candidate for Master of Science Degree 13 NGFWs in Application Enforcement Section 4 of 5 (Intrusion Response) Enforcing Application Use –Only Windows Firefox Allowed as a Web Browser –IPS –ve Security Model Becomes +ve Security Model –Achieved by Creating Custom IPS Rule on NGFW –Sample Rule for Fortinet NGFW Below: config ips custom edit NotFirefoxBrowserOnWindows set signature 'F-SBID(--name “App Enforcement” --service HTTP; -- default_action DROP; --flow established; --pattern “GET”; -- context header; --pattern ! “User-Agent: Mozilla/5.0 (Windows: U: Windows NT 5.1: en-us: rv: ) Gecko/ Firefox/3.0.5\r\n”; --context header; )' end

SANS Technology Institute - Candidate for Master of Science Degree 14 Important Planning Considerations Proper Product Selection & Sizing Key to Performance –Research Underlying HW Technology & SW Integration –Datasheet Figures not Enough, Check Independent Testing Lab Certification for Real-World Performance Ex: NSS Labs Report on the FortiGate 3810A NGFW States “Sustained 270Mbps Throughput with all Security Services Enabled” Check Quality of Security Services Included in NGFW (ICSA Labs Certification for IPS, Firewall, AntiMalware, etc…) Avoid Single Point of Failure by Clustering; Decide whether to Fail Open or Closed (Balance Availability need with Confidentiality & Integrity Need) Section 5 of 5

SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Statistics Demonstrate Improvement Needed in Current State of Intrusion Detection & Response NGFWs Can be Leveraged to Significantly Improve Intrusion Detection & Response Times Including Bot Intrusions Planning Deployment Critical to Reap Rewards Paper in SANS Reading Room Includes More Info detection_and_response_leveraging_next_generation_firewall_techn ology_33053 or … search on “NGFW” in SANS site