Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Intrusion Detection & Response: Leveraging Next-Generation Firewalls Ahmed Abdel-Aziz.

Published byEgbert Jack Wilson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Intrusion Detection & Response: Leveraging Next-Generation Firewalls Ahmed Abdel-Aziz."— Presentation transcript:

1 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Intrusion Detection & Response: Leveraging Next-Generation Firewalls Ahmed Abdel-Aziz November 2009 GIAC (GCIA, GCIH, GSNA, GCUX, GWAPT) CISSP

2 SANS Technology Institute - Candidate for Master of Science Degree 2 Objective 1) Describe Recent Threat Trends & Security Statistics 2) What are Next-Generation Firewalls (NGFWs) 3) How to Leverage NGFWs in Intrusion Detection NGFWs in Bot Detection & Extrusion Detection 4) How to Leverage NGFWs in Intrusion Response NGFWs in Incident Handling, NAC, and Application Enforcement 5) Important Planning Considerations

3 SANS Technology Institute - Candidate for Master of Science Degree 3 Threat Trends & Security Statistics Bots Increasing - Trojan variants spiked 300% from 2007 to 08 [source: McAfee Virtual Criminology Report, 2008] Compromise Discovery takes at least months, 65% of the time Responding to Compromise takes at least weeks, 63% of the time [source: Verizon Business, 2008 Data Breach Investigations Report] NGFWs Can Significantly Reduce Compromise Discovery (specifically Bot detection) & Response Times. Section 1 of 5

4 SANS Technology Institute - Candidate for Master of Science Degree 4 NGFWs – The Evolution NGFWs Incorporate Multiple Security Services NGFWs Not a Solution to Every Problem: (examples) –Use WAF for web application attacks (XSS, SQL Injection, etc.) –Use dedicated email security solution for advanced spam filtering Firewalls Typically a Prevention Control; NGFWs Can Also Become a Detection & Reactive Control –More Effective, Simpler, and Economical Security Section 2 of 5

5 SANS Technology Institute - Candidate for Master of Science Degree 5 NGFWs in Bot Detection What Bots Do: –Steal Sensitive Info –Send Spam, Act as Proxy –Execute DDOS & Other Attacks Bot Detection Techniques: (1) Detection by Using NIPS Component of NGFW –NIPS Blocks Attacks Originating from Internal Bots –NIPS Cuts Communication Between Bot & its Command-and- Control (C&C) Server using Known Traffic Signatures (Popular Bots Only, Unencrypted Communication Only)  Section 3 of 5 (Intrusion Detection)

6 SANS Technology Institute - Candidate for Master of Science Degree 6 (2) Detection by Blocking Protocol Used in Command- and-Control (C&C) –Stop Storm Bot Updates by Blocking eDonkey P2P Protocol –Configured in Fortinet Technology using a Protection Profile (3) Detection by Logging Violations & Audit Trail –Add Explicit Deny Rule at End of Firewall Policy for Logging –Tighten Outgoing Firewall Policy Too – Not Just Incoming –Network Audit Trail for Traffic Flow Analysis – Anomalies?? (Malware Can be Detected Without Antivirus, Interesting!!) Section 3 of 5 (Intrusion Detection) NGFWs in Bot Detection Continued

7 SANS Technology Institute - Candidate for Master of Science Degree 7 (4) Detection by Filtering Malicious Content in Traffic –Leverage Perimeter Antimalware, Antispam, URL Filtering –Configured in Fortinet Technology Using a Protection Profile –Use SSL Inspection for Network Encrypted Protocols: HTTPS, SMTPS, POPS, IMAPS (5) Detection Using DNS Based Techniques –High Number of MX DNS Requests From Non SMTP Server –Same DNS Request From Many Internal Hosts At Same Time –Very Small TTL Values in DNS Replies (FastFlux) (What’s in Common? ….. DNS Anomalous Traffic) Section 3 of 5 (Intrusion Detection) NGFWs in Bot Detection Continued

8 SANS Technology Institute - Candidate for Master of Science Degree 8 Basic Data Leakage Prevention –Prevent Confidential Documents Leakage Through HTTP –Achieved by Defining Watermark & Creating Custom IPS Rule –Sample Rule for Fortinet NGFW Below: config ips custom edit DataLeakageThroughHTTP set signature 'F-SBID(--name “DLP” --dst_port 80; --flow bi- direction; --default_action DROP; --protocol tcp; --pattern “Organization Confidential X!kltsrodm*(&!sldrk4#dk-+”; )' end Other Rules Can be Used to Detect Credit Card Numbers using Regular Expressions Section 3 of 5 (Intrusion Detection) NGFWs in Extrusion Detection

9 SANS Technology Institute - Candidate for Master of Science Degree 9 Security Incident Took Place While On-site (Process Proved Effective in Responding to Spambot) (1) Identification Phase – Incident Handling Process –Users Suddenly Unable to Send Email to Any Destination –nslookup & telnet to Send Email, SMTP Connection Rejected –Public IP Blacklisted as Spam Sender –Sudden Spike in Email Activity, Spambot on the Network NGFWs in Incident Handling Section 4 of 5 (Intrusion Response)

10 SANS Technology Institute - Candidate for Master of Science Degree 10 NGFWs in Incident Handling Continued (2) Containment Phase – Incident Handling Process –Block All Outgoing TCP/25 Except from Mail Server –Spambots on Network Unable to Send More Spam, Damage Already Done (Public IP has been Blacklisted) (3) Eradication Phase – Incident Handling Process –Goal: Remove Attacker’s Artifacts –Spambots Detected by Logging Violations to TCP/25 Rule Configured in Containment  12 Spambots Detected! –Eradication Needs Time, Disconnect Bots, Move to Recovery Section 4 of 5 (Intrusion Response)

11 SANS Technology Institute - Candidate for Master of Science Degree 11 NGFWs in Incident Handling Continued Section 4 of 5 (Intrusion Response) (4) Recovery Phase – Incident Handling Process Action 1: (Change Mail Server Blacklisted Public IP) –In Fortinet Technology, Feature is Called IP Pools –Effect on Outgoing Mail Traffic Only, Otherwise DNS MX Record Must be Changed Action 2: (Remove Public IP from Blacklists) –Get Blacklists from MXtoolbox.com – Request Removal of IP (5) Lessons Learned Phase – Incident Handling Process –Duration from Identification to Recovery – Only one Hour!! –Compare to Typical Intrusion Response Time of Weeks Source: Verizon Business, 2008 Data Breach Investigations Report

12 SANS Technology Institute - Candidate for Master of Science Degree 12 Pre-Admission Network Access Control in NGFW –Checks for Existing, Running & Updated Endpoint Security Solution (Isolate Hosts with Compromised Endpoint Security Solution) –Pre-build Application White-list & Enable On-Demand (Isolate Hosts with Unknown Applications Installed) Post Admission Network Access Control in NGFW –Isolate Hosts that Originate Attacks Detected by NIPS –Isolate Virus Senders Detected by Antimalware –Isolate Hosts Violating Configured DLP Rules Allows Very Fast Response Time (Self DOS Potential) Section 4 of 5 (Intrusion Response) NGFWs in Network Access Control

13 SANS Technology Institute - Candidate for Master of Science Degree 13 NGFWs in Application Enforcement Section 4 of 5 (Intrusion Response) Enforcing Application Use –Only Windows Firefox Allowed as a Web Browser –IPS –ve Security Model Becomes +ve Security Model –Achieved by Creating Custom IPS Rule on NGFW –Sample Rule for Fortinet NGFW Below: config ips custom edit NotFirefoxBrowserOnWindows set signature 'F-SBID(--name “App Enforcement” --service HTTP; -- default_action DROP; --flow established; --pattern “GET”; -- context header; --pattern ! “User-Agent: Mozilla/5.0 (Windows: U: Windows NT 5.1: en-us: rv:1.9.0.5) Gecko/2008120123 Firefox/3.0.5\r\n”; --context header; )' end

14 SANS Technology Institute - Candidate for Master of Science Degree 14 Important Planning Considerations Proper Product Selection & Sizing Key to Performance –Research Underlying HW Technology & SW Integration –Datasheet Figures not Enough, Check Independent Testing Lab Certification for Real-World Performance Ex: NSS Labs Report on the FortiGate 3810A NGFW States “Sustained 270Mbps Throughput with all Security Services Enabled” Check Quality of Security Services Included in NGFW (ICSA Labs Certification for IPS, Firewall, AntiMalware, etc…) Avoid Single Point of Failure by Clustering; Decide whether to Fail Open or Closed (Balance Availability need with Confidentiality & Integrity Need) Section 5 of 5

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Statistics Demonstrate Improvement Needed in Current State of Intrusion Detection & Response NGFWs Can be Leveraged to Significantly Improve Intrusion Detection & Response Times Including Bot Intrusions Planning Deployment Critical to Reap Rewards Paper in SANS Reading Room Includes More Info http://www.sans.org/reading_room/whitepapers/firewalls/intrusion_ detection_and_response_leveraging_next_generation_firewall_techn ology_33053 or … search on “NGFW” in SANS site

Download ppt "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Intrusion Detection & Response: Leveraging Next-Generation Firewalls Ahmed Abdel-Aziz."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Course 201 – Administration, Content Inspection and SSL VPN Filtering

Course 201 – Administration, Content Inspection and SSL VPN Filtering
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.

1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google