Presentation is loading. Please wait.

Presentation is loading. Please wait.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com."— Presentation transcript:

1 Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com

2 Common IS Threat Mitigation Strategies: An overview of common detection and protection technologies  Intro  Securing the Perimeter  Intrusion Detection  Intrusion Prevention  The New Perimeter  Q & A AGENDA

3 A risk management approach to security  Modern networks are complex systems – Each node has specific security characteristics – Nodes interact with each other – Subject to constant change (business driven)  Security as an emergent characteristic  Focus on risk – 100% bulletproof is an utopian dream – As countermeasures and protection mechanisms evolve, attacks evolve too WHY MITIGATE?

4 Friends in, Foes out. Defining and securing the network perimeter SECURING THE PERIMETER

5 Packet filters can control which packets are allowed to get through the firewall and which are not  Packet filter – Rules based on individual packets – Real fast – Most popular routers incorporate this functionality  Stateful packet filter – Rules can refer to established sessions or flows – Very fast – Most modern firewalls are stateful PACKET FILTERS SYN | port 80 SYN | ACK | ISN# 2222 ACK #2222 | port 80 | data ACK #bbbb| data

6 Application layer firewalls provide a more granular control of networked applications and services  Police traffic at the application layer  Pros – Rules refer to specific services – Can spot protocol deviations and abuses – Very granular control on protocol specifics (deny FTP anonymous login, disable unused SMTP commands, block “ ‘ “ in HTTP form fields)  Cons – Resource intensive – Tough to keep up with app-layer protocols APPLICATION LAYER FIREWALLS HTTP GET /index.htmlHTTP GET /null.printerHTTP Response HTTP GET /index.htmlBLOCKED!

7 Dividing the network in different physical segments has many advantages  Assigning trust to network segments  Pros – Reduces “attack surface” at many levels – Contains or limits successful intrusions – Provides control and audit capabilities for internal traffic  Cons – Tough to configure and manage if the network is very dynamic – Strict performance requirements NETWORK SEGMENTATION

8 A classic segmentation example: the DMZ NETWORK SEGMENTATION (2)

9 Intrusion Detection Systems passively monitor the network’s operation for attacks and anomalies  Monitor the network for security events – Intrusion attempts – Successful attacks – Anomalies  Forensics – Network audit trail  Internally deployed – Detect anomalies within the perimeter  Externally deployed – Measure threat (?) INTRUSION DETECTION

10 There are many different IDS technologies being developed today  Signature based – Watches for known attacks (signatures) – Can detect some well defined anomalies  Anomaly – Watches for anomalies (not known attacks) – Self learned (adapts to the network) / Programmed (follows defined rules)  Host based – Sensor sits in monitored host  Network based – Sensor sits on network  Hybrids INTRUSION DETECTION STRATEGIES

11 Each one of these technologies has limitations  Signature based – Can only detect known attacks (sometimes only specific attack incarnations) – Must be constantly updated  Anomaly – Cannot easily absorb change – Some attacks are hard to separate from legitimate traffic  Host based – Requires widespread deployment of sensor/agent (hard to manage / expensive) – Introduces complexity into end-systems  Network based – Vulnerable to differences in TCP/IP implementations INTRUSION DETECTION LIMITATIONS

12 Intrusion Prevention generates and active response to intrusion events  Responds actively to security events – Terminates network connections – Communicates with the firewall / switch to disconnect / block attacker – Terminates compromised process  Pros – Doesn’t require human attention (?) – Can preemptively block known intrusion attempts  Cons – Doesn’t require human attention (!) – Can block legitimate use – Can be turned into a DoS (remember spoofing) INTRUSION PREVENTION

13 Several different intrusion prevention strategies at the host level are being developed  Code injection protection / mitigation – Non executable stack (Sun Solaris) – Non writeable code segment, non executable everything else (OpenBSD, Linux w/GR Security, Windows XP sp2 w/AMD64) – Address randomization (OpenBSD, GR Security)  Containment – Chroot jails (POSIX) – System call policing, systrace (OpenBSD, NetBSD) – Privilege separation (OpenBSD) HOST IPS

14 The concept of a network perimeter is coming to an end  Peer 2 Peer  HTTP tunneling – SSL  Instant messaging  Rich e-mail clients THE NEW PERIMETER

15 Personal firewalls bring packet filtering to the workstation  Polices traffic coming in and going out the workstations  Adds the application dimension to the rules  Dynamically configurable  Starts to borrow capabilities from IPS PERSONAL FIREWALLS

16 Q & A

17 Thank You! Maximiliano Caceres | max@coresecurity.com http://www.coresecurity.com

Download ppt "Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com."

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Firewalls.

Firewalls.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Lecture 25: Firewalls Introduce several types of firewalls

Lecture 25: Firewalls Introduce several types of firewalls
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Computer Security Prevention and detection of unauthorized actions by users of a computer system Confidentiality Integrity Availability.

Computer Security Prevention and detection of unauthorized actions by users of a computer system Confidentiality Integrity Availability.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Department Of Computer Engineering

Department Of Computer Engineering
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Similar presentations

Ads by Google