1. NetRanger Intrusion Detection System Marek Mąkowski mmakowsk@cisco.com 0600_11F8_c2

2. The Security Wheel: Defense In-Depth Effective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations… Real-Time Intrusion Detection & Response 7x24 Monitoring Vulnerability Scanning & Analysis Security Posture Assessment Risk Assessment Centralized Policy & Configuration Management Trend Analysis Management Reports Incident Response ID/Authentication Encryption & VPN Firewalls Security Design & Implementation/Integration 1) Corporate Security Policy 2) SECURE 3) MONITOR 4) AUDIT/TEST 5) MANAGE & IMPROVE Policy Development & Review

3. Why Active Audit? The hacker might be an employee or ‘trusted’ partner Up to 80% of security breaches are from insiders -- FBI Your defense might be ineffective One in every thee intrusions occur where a firewall is in place -- Computer Security Institute Your employees might make mistakes Misconfigured firewalls, modems, old passwords, etc. Your network will Grow and Change Each change is a security risk Firewalls, Authorization, Encryption do not provide Visibility into these problems

4. Active Audit -- Goal: Visibility NetRanger Intrusion Detection System Monitors user behaviors while on the network Similar to the guards, video cameras and motion detectors that help secure bank vaults

5. NetRanger Overview Real-Time Intrusion Detection and Response Finds and stops unauthorized activity occurring on the network --- “reactive” appliance Network “motion sensor, video camera, and security guard” Industry-leading technology Scalable, distributed operation High performance (100MB Ethernet, FDDI, Token Ring) “On-the-fly” re-configuration of Cisco Router ACLs to shun intruders

6. NetRanger Architecture NetRanger Director * Software * NetRanger Sensor * Appliance * Alarm Handling Configuration Control Signature Control Detection Alarm Generation Response Countermeasures Comm

7. Sensor Appliance

8. Sensor Front Panel

9. Sensor Back Panel Monitoring NIC Command NIC

10. Attack Signature Detection Scans Packet Header and Payload Single and multiple packet attacks Three-tier Attack Detection 1. Name Attacks (Smurf, PHF) 2. General Category (IP Fragments) 3. Extraordinary (TCP Hijacking, E-mail Spam) Customer Defined Signatures String matching (words) Quickly defend against new attacks Scan for unique misuse

11. Sensor—Detect Intrusions Context: (Header) Content: (Data) “Atomic” Single Packet “Composite” Multiple Packets Ping of Death Land Attack Port Sweep SYN Attack TCP Hijacking MS IE Attack DNS Attacks Telnet Attacks Character Mode Attacks

12. Sensor—Event Logging Events are Logged for Three Different Activities Alarms Alarms—when signature is detected Errors Errors—when error is detected Commands Commands—when user executes command on Director or Sensor Ping Sweep Director Lost Communications Director Sensor Shun Attacking Host 30 0973_03F8_c2 NW98_US_401 Sensor

13. Sensor—Attack Response Session Termination and Shunning Session Termination TCP Hijack Kill current session Kills an active session Shunning NetworkDevice Shun Attacker Reconfigure router to deny access Sensor Attacker

14. Sensor—Session Logging Protected Network Session Log Attack Sensor Attacker Capture evidence (Keystrokes) of suspicious or criminal activity Fish Bowl or Honeypot -- Learn and record a hacker’s knowledge of your network

15. NetRanger Deployment DNS IOS Firewall Cisco Router WWW Server DNS Server Corporate Network Engineering Finance Admin Business Partner Dial-Up Access Cisco Router NetRanger Director ID/Auth. TACACS+ Cisco Secure Server Switch PIX Firewall Internet NR/NS NetRanger Remote Security Monitoring NetRanger NetSonar

16. NetRanger Director Geographically Oriented GUI Operations-friendly HP OpenView GUI Color Icon Alarm notification Quickly pinpoint, analyze and respond Maintain Security operations consistency Network Security Database Attack info, hotlinks, countermeasures Customizable Monitor Hundreds of Sensors per NOC

17. Software Requirements Operating Systems Solaris 2.5.1 or 2.6 HP-UX 10.20 HP OpenView 4.11, 5.01, 6.0 Web browser (for NSDB)

18. Hardware Requirements Sun SPARC platform with: NetRanger install partition: /usr/nr (50 MB) NetRanger log partition: /usr/nr/var (2 GB) HP OpenView install partition: /opt (110 MB) Java run-time environment: /opt (12 MB) System RAM: 96 MB

19. Hardware Requirements (cont.) HP-UX platform with: NetRanger install partition: /usr/nr (50 MB) NetRanger log partition: /usr/nr/var (2 GB) HP OpenView install partition: /opt (65 MB) Java run-time environment: /opt (10 MB) System RAM: 96 MB

20. Director - Distributed Management Enterprise Strategic Management Regional Operational Management Local Network Security Management Director Tier 1 Director Tier 2 Director Tier 3 Director Tier 3

21. Alarm Display and Management Director icon Context intrusion alarm Content intrusion alarm Sensor icon

22. Configuration Management

23. Network Security Database On-line reference tool Contains: Descriptions Recommendations and fixes Severity ratings Hyperlinks to external information/patches

24. Custom Script Execution Starts any user- defined script. E-mail and Script Execution E-mail Notification Sends notification to e-mail recipient or pager.

25. The Security Wheel: Defense In-Depth Effective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations… Real-Time Intrusion Detection & Response 7x24 Monitoring Vulnerability Scanning & Analysis Security Posture Assessment Risk Assessment Centralized Policy & Configuration Management Trend Analysis Management Reports Incident Response ID/Authentication Encryption & VPN Firewalls Security Design & Implementation/Integration 1) Corporate Security Policy 2) SECURE 3) MONITOR 4) AUDIT/TEST 5) MANAGE & IMPROVE Policy Development & Review

26. What comprises Active Audit? NetSonar Vulnerability scanning Network mapping Measure exposure Security expertise NetRanger Real-time analysis Intrusion detection Dynamic response Assurance Proactive Reactive

27. NetSonar™ Security Scanner “ Proactive Security” 0305_10F8_c2

28. Network Vulnerability Assessment Active Audit—Network Vulnerability Assessment Assess and report on the security status of network components Scanning (active, passive), vulnerability database NetSonar

29. NetSonar Overview Vulnerability scanning and network mapping system Identifies and analyzes security vulnerabilities in ever-changing networks -- “proactive” software Industry-leading technology Network mapping Host and device identification Flexible reporting Scheduled scanning

30. Network Discovery Process Network Mapping Identify live hosts Identify services on hosts Vulnerability Scanning Analyze discovery data for potential vulnerabilities Confirm vulnerabilities on targeted hosts Target

31. Network Mapping Tool Uses multiple techniques Ping sweeps - Electronic Map Port sweeps - Service discovery Unique discovery features Detects workstations, routers, firewalls, servers, switches, printers, and modem banks Detects Operating Systems and version numbers Does not require SNMP

32. Vulnerability Assessment Engine Potential Vulnerability Engine -- Passive Compares network discovery data to rules to reveal potential vulnerabilities Confirmed Vulnerability Engine -- Active Uses well-known exploitation techniques to fully confirm each suspected vulnerability and to identify vulnerabilities not detected during passive mapping

33. How NetSonar Works Network Discovery Active Ping Sweep - ID Hosts Inactive Port Sweeps - ID Svcs Email Svr Web Svr Workstation Firewall Router SMTP FTP HTTP FTP Telnet Passive Vulnerability Analysis Active Vulnerability Analysis Presentation & Reporting Exploits executed against target hosts Discovery data analyzed by rules Workstation: Windows NT v4.0 SMB Redbutton Anonymous FTP Communicate results FTP Bounce Exploit