NetRanger Intrusion Detection System Marek Mąkowski 0600_11F8_c2
The Security Wheel: Defense In-Depth Effective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations… Real-Time Intrusion Detection & Response 7x24 Monitoring Vulnerability Scanning & Analysis Security Posture Assessment Risk Assessment Centralized Policy & Configuration Management Trend Analysis Management Reports Incident Response ID/Authentication Encryption & VPN Firewalls Security Design & Implementation/Integration 1) Corporate Security Policy 2) SECURE 3) MONITOR 4) AUDIT/TEST 5) MANAGE & IMPROVE Policy Development & Review
Why Active Audit? The hacker might be an employee or ‘trusted’ partner Up to 80% of security breaches are from insiders -- FBI Your defense might be ineffective One in every thee intrusions occur where a firewall is in place -- Computer Security Institute Your employees might make mistakes Misconfigured firewalls, modems, old passwords, etc. Your network will Grow and Change Each change is a security risk Firewalls, Authorization, Encryption do not provide Visibility into these problems
Active Audit -- Goal: Visibility NetRanger Intrusion Detection System Monitors user behaviors while on the network Similar to the guards, video cameras and motion detectors that help secure bank vaults
NetRanger Overview Real-Time Intrusion Detection and Response Finds and stops unauthorized activity occurring on the network --- “reactive” appliance Network “motion sensor, video camera, and security guard” Industry-leading technology Scalable, distributed operation High performance (100MB Ethernet, FDDI, Token Ring) “On-the-fly” re-configuration of Cisco Router ACLs to shun intruders
NetRanger Architecture NetRanger Director * Software * NetRanger Sensor * Appliance * Alarm Handling Configuration Control Signature Control Detection Alarm Generation Response Countermeasures Comm
Sensor Appliance
Sensor Front Panel
Sensor Back Panel Monitoring NIC Command NIC
Attack Signature Detection Scans Packet Header and Payload Single and multiple packet attacks Three-tier Attack Detection 1. Name Attacks (Smurf, PHF) 2. General Category (IP Fragments) 3. Extraordinary (TCP Hijacking, Spam) Customer Defined Signatures String matching (words) Quickly defend against new attacks Scan for unique misuse
Sensor—Detect Intrusions Context: (Header) Content: (Data) “Atomic” Single Packet “Composite” Multiple Packets Ping of Death Land Attack Port Sweep SYN Attack TCP Hijacking MS IE Attack DNS Attacks Telnet Attacks Character Mode Attacks
Sensor—Event Logging Events are Logged for Three Different Activities Alarms Alarms—when signature is detected Errors Errors—when error is detected Commands Commands—when user executes command on Director or Sensor Ping Sweep Director Lost Communications Director Sensor Shun Attacking Host _03F8_c2 NW98_US_401 Sensor
Sensor—Attack Response Session Termination and Shunning Session Termination TCP Hijack Kill current session Kills an active session Shunning NetworkDevice Shun Attacker Reconfigure router to deny access Sensor Attacker
Sensor—Session Logging Protected Network Session Log Attack Sensor Attacker Capture evidence (Keystrokes) of suspicious or criminal activity Fish Bowl or Honeypot -- Learn and record a hacker’s knowledge of your network
NetRanger Deployment DNS IOS Firewall Cisco Router WWW Server DNS Server Corporate Network Engineering Finance Admin Business Partner Dial-Up Access Cisco Router NetRanger Director ID/Auth. TACACS+ Cisco Secure Server Switch PIX Firewall Internet NR/NS NetRanger Remote Security Monitoring NetRanger NetSonar
NetRanger Director Geographically Oriented GUI Operations-friendly HP OpenView GUI Color Icon Alarm notification Quickly pinpoint, analyze and respond Maintain Security operations consistency Network Security Database Attack info, hotlinks, countermeasures Customizable Monitor Hundreds of Sensors per NOC
Software Requirements Operating Systems Solaris or 2.6 HP-UX HP OpenView 4.11, 5.01, 6.0 Web browser (for NSDB)
Hardware Requirements Sun SPARC platform with: NetRanger install partition: /usr/nr (50 MB) NetRanger log partition: /usr/nr/var (2 GB) HP OpenView install partition: /opt (110 MB) Java run-time environment: /opt (12 MB) System RAM: 96 MB
Hardware Requirements (cont.) HP-UX platform with: NetRanger install partition: /usr/nr (50 MB) NetRanger log partition: /usr/nr/var (2 GB) HP OpenView install partition: /opt (65 MB) Java run-time environment: /opt (10 MB) System RAM: 96 MB
Director - Distributed Management Enterprise Strategic Management Regional Operational Management Local Network Security Management Director Tier 1 Director Tier 2 Director Tier 3 Director Tier 3
Alarm Display and Management Director icon Context intrusion alarm Content intrusion alarm Sensor icon
Configuration Management
Network Security Database On-line reference tool Contains: Descriptions Recommendations and fixes Severity ratings Hyperlinks to external information/patches
Custom Script Execution Starts any user- defined script. and Script Execution Notification Sends notification to recipient or pager.
The Security Wheel: Defense In-Depth Effective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations… Real-Time Intrusion Detection & Response 7x24 Monitoring Vulnerability Scanning & Analysis Security Posture Assessment Risk Assessment Centralized Policy & Configuration Management Trend Analysis Management Reports Incident Response ID/Authentication Encryption & VPN Firewalls Security Design & Implementation/Integration 1) Corporate Security Policy 2) SECURE 3) MONITOR 4) AUDIT/TEST 5) MANAGE & IMPROVE Policy Development & Review
What comprises Active Audit? NetSonar Vulnerability scanning Network mapping Measure exposure Security expertise NetRanger Real-time analysis Intrusion detection Dynamic response Assurance Proactive Reactive
NetSonar™ Security Scanner “ Proactive Security” 0305_10F8_c2
Network Vulnerability Assessment Active Audit—Network Vulnerability Assessment Assess and report on the security status of network components Scanning (active, passive), vulnerability database NetSonar
NetSonar Overview Vulnerability scanning and network mapping system Identifies and analyzes security vulnerabilities in ever-changing networks -- “proactive” software Industry-leading technology Network mapping Host and device identification Flexible reporting Scheduled scanning
Network Discovery Process Network Mapping Identify live hosts Identify services on hosts Vulnerability Scanning Analyze discovery data for potential vulnerabilities Confirm vulnerabilities on targeted hosts Target
Network Mapping Tool Uses multiple techniques Ping sweeps - Electronic Map Port sweeps - Service discovery Unique discovery features Detects workstations, routers, firewalls, servers, switches, printers, and modem banks Detects Operating Systems and version numbers Does not require SNMP
Vulnerability Assessment Engine Potential Vulnerability Engine -- Passive Compares network discovery data to rules to reveal potential vulnerabilities Confirmed Vulnerability Engine -- Active Uses well-known exploitation techniques to fully confirm each suspected vulnerability and to identify vulnerabilities not detected during passive mapping
How NetSonar Works Network Discovery Active Ping Sweep - ID Hosts Inactive Port Sweeps - ID Svcs Svr Web Svr Workstation Firewall Router SMTP FTP HTTP FTP Telnet Passive Vulnerability Analysis Active Vulnerability Analysis Presentation & Reporting Exploits executed against target hosts Discovery data analyzed by rules Workstation: Windows NT v4.0 SMB Redbutton Anonymous FTP Communicate results FTP Bounce Exploit