Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defense-in-Depth, Part 2: Advanced Intrusion Defense Joel Snyder Opus One

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Defense-in-Depth, Part 2: Advanced Intrusion Defense Joel Snyder Opus One"— Presentation transcript:

1 Defense-in-Depth, Part 2: Advanced Intrusion Defense Joel Snyder Opus One jms@opus1.com

2 Traditional perimeter technology is being… … Supplemented?

3 A firewall is not just a firewall any more Firewalls now have “advanced application intelligence” Actually, they had that already, but the marketroids had to keep themselves busy Firewalls now are “intrusion prevention systems” Isn’t every firewall an intrusion prevention system? Firewalls now do virus scanning, content scanning, and ironing Application-layer firewalls are needed to protect legions of inadequate web programmers IDS has been replaced by IPS (No, I don’t believe that, I’m just repeating awful rumors) Worms now outnumber viruses in your e-mail by a factor of 20 to 1 Spam represents 50% to 75% of all e-mail you receive

4 Key question: Do you need this? Do you need to buy (or upgrade) to a bigger, smarter, faster, more capable firewall? Do you need to buy an IPS? …an application layer firewall? …a smarter IDS? …an SSL VPN device? Do I want an all-in-one thing? Do I want individual parts? The answer you’ve been waiting for… is on the very next slide!

5 Should I buy a lot of this new security stuff? And if I do buy this, what kind should I buy? And where should I put it? And which product should I buy? Answer: 42

6 I can’t tell you what is right for your network I can tell you what products are out there and what they are doing I can also tell you what the trends are in these products But the hard work remains yours So let’s look at what’s happening in the firewall business

7 March, 2004: Information Security sponsors research on new firewall technologies Products from Check Point, Cyberguard, NetScreen, Nortel Networks, Symantec, Secure Computing, Watchguard Support from Andy Briney, Neil Roiter at Information Security http://infosecuritymag.techtarget.com/

8 Firewalls have been around for a very long time “[AT&T’s gateway creates] a sort of crunchy shell around a soft, chewy center.” (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990) 1989 1991 1993 1995 1997 1999 2001 2003 2005 First firewalls deployed in Internet-connected organizations “Firewalls and Internet Security” published TIS toolkit commonly available Cisco buys PIX (Network Translation) CheckPoint revenues cross $100m WatchGuard introduces 1st FW appliance

9 Surely firewall makers have been busy since 1999 ? Clear market trends Faster Cheaper Smaller New Guard: NetScreen (Juniper), Watchguard, SonicWALL Old Guard: Cisco, Check Point Clear product trends Add VPN features Site-to-site Remote Access (?) Add policy-based URL control Websense-type Add interfaces No longer just inside, outside, DMZ

10 Surely, firewall makers have been busy since 1999 ? Clear market trends Faster Cheaper Smaller New Guard: NetScreen (Juniper), Watchguard, SonicWALL Old Guard: Cisco, Check Point Clear product trends Add VPN features Site-to-site Remote Access (?) Add policy-based URL control Websense-type Add interfaces No longer just inside, outside, DMZ

11 Incremental improvements are not very exciting Smaller, cheaper, faster: that’s great VPNs, more interfaces: that’s great But what have you done for me lately? To answer that, we need to digress to the oldest battle in all of firewall-dom: proxy versus packet filter!

12 Arguments between Proxy and Stateful PF continued Proxy More secure because you can look at application data stream More secure because you have independent TCP stacks Stateful PF Faster to write Faster to adapt Faster to run Faster also means cheaper

13 Proxy-based firewalls aren’t dead… just slow! Proxy Packet Filtering Src=10.1.1.99 Dst=5.6.7.8 TCP/IP Src=1.2.3.4 Dst=5.6.7.8 Kernel Inside network = 10.1.1.0/24 Outside net = 1.2.3.4 RTL Process Space

14 Firewall Landscape: five years ago IBM eNetwork Secure Computing Altavista Firewall TIS Gauntlet Raptor Eagle Elron Cyberguard Ukiah Software NetGuard WatchGuard SonicWALL Check Point Livermore Software Milkyway Borderware Global Internet

15 Stateful Packet Filtering dominates the market Stateful Packet Filtering IP Kernel Check Point Cisco NetScreen SonicWALL Freeware-based products: Ipchains, IPF, Iptables, IPFW FW Newcomers: Fortinet, Toshiba, Ingate, ServGate, many others

16 But… the core argument was never disputed Proxy-based firewalls do have the possibility to give you more control because they maintain application- layer state information The reality is that proxy-based firewalls rarely went very far down that path Why? Market demand, obviously…

17 Firewall Evolution: What we hoped for… Additional granular controls on a wide variety of applications Intrusion detection and prevention functionality Vastly improved centralized management systems More flexible deployment options

18 Firewall Evolution: What we found… Additional granular controls on some a wide variety of applications Limited intrusion detection and prevention functionality Vastly improved centralized management systems More flexible deployment options Why? Market demand, obviously…

19 So what’s going on in the firewall business? Products are diverging, not converging Personalities of products are distinct IPS is a step forward, but not challenging the world of standalone products Rate of change of established products is slow compared to new entries

20 What does this mean for me and my firewall? Products are diverging Personalities are distinct IPS weaker than standalone Change rate slow Matching firewall to policy is hard; change in application or policy may mean changing product! Aggressive adoption of new features unlikely in popular products; need new blood to overcome product inertia

21 Are Intrusion Detection Systems dead? http://infosecuritymag.techtarget.com/ Massive Support from Marty Roesch, Ron Gula, Robert Graham Products from ISS, Cisco, and Tenable Cash and Prizes from Andy Briney and Neil Roiter

22 This is an IDS alert… IDS saw a packet aimed at a protected system IDS magic decoder technology correctly identifies this as “Back Orifice!”

23 This IDS alert ain’t no good Last time I checked, FreeBSD 4.9 was not one of the supported platforms for BackOrifice…

24 Please don’t call that a false positive IDS developers will jump down your throat “False Positive” means the IDS cried wolf when there was no such attack Usually the result of poorly written signatures Instead, let’s invent a complex multisyllable term: “non-contextual alert”

25 The IDS lacks “context” IF the IDS knew that the destination system was not running Windows… IF the IDS knew that the destination system was not running Back Orifice… IF the IDS knew that there was no such destination system… IF the IDS knew that the destination system was more hops away then TTL allowed…

26 IF IF IF the IDS knew more… THEN the IDS could tell the IDS operator more about this attack Ron Gula (Tenable) says that alerts are “raw intelligence.” They are data, but are not information yet. We need to turn them into “well-qualified intelligence” to start a war.

27 Roesch: “Target-Based IDS” Target-based IDS Sensor The sensor has knowledge about the network The sensor has knowledge about the hosts Target-based Event Correlation The output of the sensor is compared to knowledge of vulnerabilities Target-based IDS has two components

28 Start with a normal IDS… 1.IDS sensors generate enormous dinosaur-sized piles of alerts; alerts are sent to the IDS console 2.Operator gets enormous dinosaur-sized headache looking at hundreds of thousands of alerts … and add brains!

29 What does an IDS with brains look like?

30 Brains=knowledge + process Knowledge Somehow figure out lots of information about What systems are out there What software they are running What attacks they are vulnerable to Process Evaluate each alert with the additional contextual knowledge and decide To promote the alert To demote the alert That we don’t know

31 Can this quiet my IDS down? It could… But none of the products I looked at have a feedback loop to the IDS! Why don’t the scanners tell the IDS what ports to look on? Why don’t the scanners tell the IDS what signatures to ignore?

32 Is this right for you? YES! “I already have an IDS and I care about the alerts and I need some way to help prioritize them because I am drowning in alerts!” “I need to get an IDS for alerts but don’t have the manpower to analyze the alerts.” NO! “If I get this, my IDS will be a self-tuning smooth-running no- maintenance machine.” “I have no network security policy which says what to do when an alert occurs.”

33 Advanced Intrusion Defense Joel Snyder Opus One jms@opus1.com

Download ppt "Defense-in-Depth, Part 2: Advanced Intrusion Defense Joel Snyder Opus One"

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Firewalls Anand Sharma Austin Wellman Kingdon Barrett.

Firewalls Anand Sharma Austin Wellman Kingdon Barrett.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies

Firewall Configuration Strategies
MSIT 458: Information Security & Assurance By Curtis Pethley.

MSIT 458: Information Security & Assurance By Curtis Pethley.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Firewall Slides by John Rouda

Firewall Slides by John Rouda
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Application-layer firewalling: Raise your perimeter IQ Joel Snyder Opus One.

Application-layer firewalling: Raise your perimeter IQ Joel Snyder Opus One.
EDUCAUSE Security 2006 Internet John Brown University.

EDUCAUSE Security 2006 Internet John Brown University.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Similar presentations

Ads by Google