Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigation Strategies Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

Published byAudrey Roxanne Day Modified over 8 years ago

Similar presentations

Presentation on theme: "Mitigation Strategies Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile."— Presentation transcript:

1 Mitigation Strategies Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile

2 Overview Where Did We Start? Where We are Now… Survey of Additional Strategies 2

3 Where Did We Start? We started with a fairly simple, non-resilient network – One Gateway Router No ACLs or Monitoring – One Nameserver – One Non-Functional NOC 3 We Were “Blind”!

4 We Are Here! We now have a fairly simple network that offers us some resiliency to cyber attacks – One Gateway Router With ACLS & Monitoring – One Nameserver Some Configuration Changes – One Functional NOC Monitoring & Detection 4 We Can See!

5 We Are Here! The Things We Discussed: – Have a Plan BEFORE Attacks Occur – Various Monitoring Tools – Configuration Control – Secure Application Configurations 5 Tip of the Iceberg!

6 It’s a BIG World… There are things that we didn’t demonstrate due to time or have the ability to add: – Anycasting – Additional Infrastructure – In-Line Monitoring – Active Defenses 6 But – Let’s Discuss! “By The Way – Not Everything Is a Technical Solution!”

7 Mitigation Strategies Build a Contingency Plan – Compare costs of disruption vs. recovery – Establish plan of action for what you expect to be your highest risks – Concentrate on your business objectives & risk Risk is NOT threat – its an understanding of what’s important to you, threats, vulnerabilities, controls, and impact – Prioritize security implementations based on risk You probably don’t have the time or resources to implement everything Good security is about multiple layers of protection 7

8 Mitigation Strategies Robust Architectures – Anycasting – Geographically Separated Name Servers – NS on Both Sides of Satellite Links – Diversity in hardware & software – Over-provision where possible Bandwidth, servers, people! 8

9 Mitigation Strategies Anycasting “Anycast is a network addressing and routing scheme whereby data is routed to the "nearest" or "best" destination as viewed by the routing topology.” – Wikipedia 9 NS1NS2 199.7.83.0/24 AS20144 199.7.83.0/24 AS20144 199.7.83.42

10 Mitigation Strategies Anycasting – Increased Capacity, Resiliency to Attack – Outsourcing Instant Gratification, Perhaps Loss of Control What are you really getting? Ask Questions! – Doing it In House Requires Expertise & Resources to Set it Up 10

11 Mitigation Strategies Real Time Monitoring – Stratify your alerts (info, low, med, high, uh oh!) – E-Mail, SMS, Pager notifications of priority alerts – Select tools that work for you! Intrusion Detection – Install & Monitor an IDS (e.g. SNORT) – Where to install it? Inside or Outside? – Feeling adventurous – put it in active mode! 11

12 A Brief Aside - SNORT SNORT monitors traffic seen by the box’s network card in promiscuous mode SNORT compares this traffic to a set of static rules (signatures) Any matches to the signatures produce an alert These alerts can be displayed through SYSLOG or through several other front-ends (like BASE). Alerts can be stored in a database for later analysis An operator can view these alerts and take appropriate action Note the one-way paths here – for security purposes… – BUT – these could all be on the same box if you wanted… 12 SNORT 1.1.1.1 MySQL 1.1.1.2 BASE 1.1.1.3 Network Canx Alerts View Alerts Alerts SNIFF

13 A Brief Aside - SNORT The key to SNORT are its rules There are two kinds of rules – Official Ruleset – Paying users get them as they are released – Registered users get them 5 days after release – Unregistered users get them with SNORT releases – Community Rules – Publicly Available Rules are text based files that contain a signature (what to alert on) and an action (how to alert) 13 SNORT 1.1.1.1 MySQL 1.1.1.2 BASE 1.1.1.3 Network Canx Alerts View Alerts Alerts SNIFF

14 A Brief Aside - SNORT The key to SNORT are its rules There are two kinds of rules – Official Ruleset – Paying users get them as they are released – Registered users get them 5 days after release – Unregistered users get them with SNORT releases – Community Rules – Publicly Available Rules are text based files that contain a signature (what to alert on) and an action (how to alert) 14 Alert tcp any any -> $HOME_NET any (flags:S; msg:”SYN packet”;)

15 A Brief Aside - SNORT 15 View Alerts By Protocol

16 A Brief Aside - SNORT 16 View Recent Alerts By Protocol

17 A Brief Aside - SNORT 17 View Recent Alerts By IP

18 A Brief Aside - SNORT 18 View Recent Alerts By Port

19 A Brief Aside - SNORT 19 View Portscans

20 A Brief Aside - SNORT 20 A Single Alert

21 A Brief Aside - SNORT 21 Alert Title Links to Alert Information

22 A Brief Aside - SNORT 22 Click for IP Analysis – alerts SOURCED from this IP alerts DESTINED for this IP

23 Mitigation Strategies Vulnerability Scanning – Regularly scheduled scans – using an updated engine! Web application, operating system, third party application scanners are all available… Patching Systems – This is NOT a silver bullet – but keeps riff-raff out – Use automatic updates where available – Vulnerability scanning can tell you what’s missing – don’t assume that because you “installed” it, it actually took – Don’t forget 3 rd party application updates (adobe, flash, firefox, etc) 23

24 Mitigation Strategies Forensic Data Capture – Capture the last say, 12 hours, of traffic to enable you to do forensic analysis on what happened after the fact Technical Configuration Guides – Understand how your systems are configured and be able to easily reproduce / rebuild them – Most already exist, find them BEFORE you need them in a hurry 24

25 Mitigation Strategies Data Escrow – Keeping a copy of your zone and customer data in a safe place Mutual Aid Agreements – Other ccTLDs, Universities, Governments – Secondary Hosts, Data Escrow, Tech Assistance – Temporary Manpower & Resources – Do you (would you) share data of an attack with other ccTLDs? 25

26 Mitigation Strategies Cold, Warm, Hot & Mirrored Sites – Secondary locations that can be stood up in case of physical or cyber difficulties 26 B C AD

27 Mitigation Strategies Bubba Net (Bubba = Friend, Net = Network) – Establish your professional networks so you know who to call when you need assistance Develop Professional Network of Stakeholders – Governments, ISPs, Registrars, etc Awareness Briefings to Stakeholders – Establish yourself as “critical infrastructure” 27

28 Mitigation Strategies End User / Customer Education – Reduce Risk from Your Customers (e.g. phishing) Media / Public Relations – Invite media in to discuss best methods of dealing with them – Build a communication plan so you know how to respond for a given situation 28

29 Mitigation Strategies Internal Training & Awareness – Train your administrators in defensive actions – Forces you to establish procedures & policies! Exercise Defensive Actions – You will only know your defensive capacity by testing it! – Simple walkthroughs to elaborate, hands-on, multi-agency exercises 29

30 Mitigation Strategies Test Your Processes – Two-factor authentication for customer interaction – Out of band communication (phone, fax, walk-in) for customer validation 30

31 Notional ccTLD Architecture Putting It All Together Registrant NS2 NS1 User NS4 NS3 Internal External 31 International User

32 Notional ccTLD Architecture Registrant – Requests Assignment, Updates, Removal 32 Registrant NS2 NS1 User NS4 NS3 Internal External International User

33 Notional ccTLD Architecture Authentication for Registrant Requests 33 Registrant NS2 NS1 User NS4 NS3 Internal External International User

34 Notional ccTLD Architecture Authorization for Internal Registry Changes 34 Registrant NS2 NS1 User NS4 NS3 Internal External International User

35 Notional ccTLD Architecture Offsite Backup for Entire Registry 35 Registrant NS2 NS1 User NS4 NS3 Internal External International User

36 Notional ccTLD Architecture Registry – Publishes and Maintains Assignments 36 Registrant NS2 NS1 User NS4 NS3 Internal External International User

37 Notional ccTLD Architecture Alternate Registry Server and Database 37 Registrant NS2 NS1 User NS4 NS3 Internal External International User

38 Notional ccTLD Architecture Country Localized DNS Servers 38 Registrant NS2 NS1 User NS4 NS3 Internal External International User

39 Notional ccTLD Architecture Country Localized User 39 Registrant NS2 NS1 User NS4 NS3 Internal External International User

40 Notional ccTLD Architecture Firewall 40 Registrant NS2 NS1 User NS4 NS3 Internal External International User

41 Notional ccTLD Architecture Primary Global DNS 41 Registrant NS2 NS1 User NS4 NS3 Internal External International User

42 Notional ccTLD Architecture Primary External Gateway 42 Registrant NS2 NS1 User NS4 NS3 Internal External International User

43 Notional ccTLD Architecture Secondary Global DNS Server Anycasting with Geographic Separation 43 Registrant NS2 NS1 User NS4 NS3 Internal External International User

44 Notional ccTLD Architecture Secondary External Gateway 44 Registrant NS2 NS1 User NS4 NS3 Internal External International User

45 Notional ccTLD Architecture International User 45 Registrant NS2 NS1 User NS4 NS3 Internal External International User

46 Recommendations ThreatRecommendations Zone TransferMonitoring, DNS Server Configuration Non-Authoritative Spoofing Monitoring, Communication Port ScanningMonitoring, Awareness of Other Parallel Attacks Router Re-Config Monitoring, Configuration Control, Administrative VLANs SSH Brute ForceApplication Logging, Log Analysis, Secure Configuration DDoS Geographic Separation, Anycasting, Country Localized and Global Server Separation 46

47 References Internet Society Workshop Resource Center http://www.ccnog.org/ ccTLD Best Practices http://www.nsrc.org/netadmin/wenzel-cctld-bcp-02.html ICANN Country Code Name Support Org http://ccnso.icann.org/ ICANN Security & Stability Advisory Committee http://www.icann.org/committees/security/ DNS Security Reading Room http://www.dnssec.net/dns-threats DNS Installation & Configuration Training 47

48 QUESTIONS? 48 ? Do you have any questions about … –Mitigation Strategies

Download ppt "Mitigation Strategies Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.

Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.
GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.

GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies

Firewall Configuration Strategies
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 12 Network Security.

Chapter 12 Network Security.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Department Of Computer Engineering

Department Of Computer Engineering
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Similar presentations

Ads by Google