Traffic Analysis Note
Download
Report
Transcript Traffic Analysis Note
Slide 1
Proventia Network
Intrusion Prevention System
Proventia Network Intrusion Prevention System
What is IPS?
• IPS evolved from IDS
– IDS identifies threats and sends alerts
– IPS blocks attacks targeted at your network
• Because intrusion prevention is designed to block
attacks while allowing legitimate traffic, accurate attack
detection is essential
• For accurate, preemptive protection, IPS products use
multiple techniques to:
– Recognize and identify protocols
– Analyze traffic
• No single intrusion prevention technique can offer
acceptable protection
Proventia Network Intrusion
Prevention System
Slide 2
Protocol Recognition & Identification
• Using multiple techniques, protocols can be
accurately recognized and identified
• Examples of protocol recognition and
identification techniques that IPS devices
should use include:
– Port Assignment
– Heuristics
– Port Following
– Protocol Tunneling Recognition
Proventia Network Intrusion
Prevention System
Slide 3
Traffic Analysis Techniques
• Traffic analysis helps the IPS:
– Determine the intent of the traffic
– Block malicious traffic
• Some examples of traffic analysis techniques that
IPS devices should use are:
–
–
–
–
–
–
Protocol Analysis
RFC Compliance
TCP Reassembly
Flow Reassembly/Simulation
Statistical Threshold Analysis
Pattern Matching
Proventia Network Intrusion
Prevention System
Slide 4
Operational Concerns
• When protecting systems and data, the
primary objectives fall within three categories:
– Confidentiality
– Integrity
– Availability
• Your IPS and system administrators are
responsible for maintaining the confidentiality,
integrity and availability of organizational
systems and data
Proventia Network Intrusion
Prevention System
Slide 5
Challenges for Security Administrators
• Security Administrators must have a vast
knowledge base including:
–
–
–
–
–
–
TCP/IP
Windows platforms
Unix platforms
Firewalls
Routers
VPNs
• An administrator must have knowledge and
experience in implementing security on all the
various devices within your organization
Proventia Network Intrusion
Prevention System
Slide 6
Why a Firewall is not Enough
• Standard firewalls make access control decisions
based on the:
– Source and destination IP addresses
– Destination port or protocol
• Standard firewalls are incapable of differentiating
valid traffic from malicious traffic
Example: If port 80 is open through your firewall
to your public web server, a standard firewall
cannot prevent malicious attacks destined for
port 80
Proventia Network Intrusion
Prevention System
Slide 7
How IPS Helps Your Organization
Intrusion prevention systems can:
• Identify and prevent problems to avoid costly damage
• Minimize incident damage by immediately responding
to a threat
• Prevent trojans from entering the system and deleting
files
• Prevent employees from transmitting critical
documentation that could cause an organization a loss
of market advantage
• Collect data and evidence
Proventia Network Intrusion
Prevention System
Slide 8
IPS From IBM ISS
• IBM Internet Security Systems offers top of the
line intrusion prevention products which include:
–
–
–
–
Proventia® Network Intrusion Prevention System (IPS)
Proventia® Network Multi-Functional Security
Proventia® Desktop Endpoint Security
Proventia® Server Intrusion Prevention System
• The SiteProtector™ management system:
– Provides scalable, centralized security management
for all IBM ISS products
– Reduces demands on IT staff and other operational
resources
Proventia Network Intrusion
Prevention System
Slide 9
Proventia Network IPS
• Proventia Network IPS:
– Identify attacks against systems and services by
copying packets and processing them outside the
kernel
– Can be operated inline to prevent network intrusions
and attacks
• Proventia Network IPS also protects your network
from intrusions and attacks in two primary ways:
– Intrusion protection capability to block attack packets
– Firewall capability to drop unwanted packets
Proventia Network Intrusion
Prevention System
Slide 10
Intrusion Prevention Solution
• Proventia Network IPS prevents attacks and unwanted
traffic from entering your network such as:
– Spyware
– Intrusions
– Malicious code
– Backdoors
– Hybrid threats
• Because network traffic travels through inline
appliances, the appliance can analyze traffic and block
attacks in real-time
• Proventia Network IPS complements the gateway
firewall allowing permitted traffic and blocking
unwanted traffic and attacks
– Because this occurs in real-time, there is no disruption of
legitimate network traffic
Proventia Network Intrusion
Prevention System
Slide 11
Intrusion Prevention Solution
Several IPS features protect your network, for example:
• Dynamic blocking
• Firewall rules
• Quarantine and Block responses
• Three operating modes:
– Inline Protection
– Inline Simulation
– Passive Monitoring
• SNMP support
• Virtual PatchTM protection
• Automatic security content updates
Proventia Network Intrusion
Prevention System
Slide 12
Benefits of Proventia Network IPS
Proventia Network IPS offers the following
advantages:
• Provides real-time intrusion prevention,
without disrupting normal network traffic
• Quarantines known and unknown threats
• Allows valuable IT resources to focus on other
critical projects
Proventia Network Intrusion
Prevention System
Slide 13
Proventia Management SiteProtector Appliance
• SiteProtector appliance comes pre-installed with:
–
–
–
–
–
–
–
SiteProtector Application Server
Agent Manager
Event Collector
SiteProtector Database
X-Press Update Server
SiteProtector Firmware
Proventia Server for Windows
• Before deploying SiteProtector appliance, you must perform initial
configuration to enter:
– IP address and subnet mask
– Host name and DNS
– Gateway IP address
Introduction to Proventia®
Management SiteProtector
Slide 14
Adapter Modes
Protection
Proventia Network Intrusion
Prevention System
Slide 15
Connecting an Appliance
Proventia Network Intrusion
Prevention System
Slide 16
Switch/Hub to Switch/Hub
• When deploying the inline appliance between
two switches/hubs, establish straight
connections from the:
– First switch/hub to the appliance
– Appliance to the second switch/hub
Proventia Network Intrusion
Prevention System
Slide 17
Workstation/Server to Router
• When deploying the inline appliance between
a server or workstation and a router:
– Establish a crossover connection from the
server/workstation to the appliance
– Establish a crossover connection from the
appliance to the router
Proventia Network Intrusion
Prevention System
Slide 18
Workstation/Server to Switch/Hub
• When deploying the inline appliance between
a server or workstation and a switch or hub:
– Establish a crossover connection from the
server/workstation to the appliance
– Establish a straight cable connection from the
appliance to the switch/hub
Proventia Network Intrusion
Prevention System
Slide 19
Router to Switch/Hub
• When deploying the inline appliance between
a router and a switch/hub:
– Establish a crossover connection from the router
to the appliance
– Establish a straight cable connection from the
appliance to the switch/hub
Proventia Network Intrusion
Prevention System
Slide 20
Router to Router
• When deploying the inline appliance between
two routers establish a crossover connection
from the:
– First router to the appliance
– Appliance to the second router
Proventia Network Intrusion
Prevention System
Slide 21
Proventia Network IPS High
Availability
• Supports two identical Proventia Network IPS
appliances in the following network environment:
– Primary/Secondary configuration
– Clustering configuration
• Uses two appliances connected together by mirror
links so that both appliances maintain identical state
Proventia Network IPS
Proventia Network IPS
Proventia Network Intrusion
Prevention System
Slide 22
High Availability Port Configuration
Proventia Network Intrusion
Prevention System
Slide 23
Configuring Appliance Policies
• You can configure appliance policies that control management functions
and security settings
• The Proventia Network IPS uses the following policies:
– Connection Events
– Firewall
– Global Tuning Parameters
– Protection Domains
– Response Objects
– Security Events
– OpenSignature Events
– Update Settings
– User Defined Events
– Local Tuning Parameters (Note: Available at the agent level only)
Proventia Network Intrusion
Prevention System
Slide 24
Ignore
• Ignore is a default response associated with a
Response Filter which disregards packets that
match the specified criteria
• Use the Ignore response to filter Security
Events that are not a threat to your
organization
Proventia Network Intrusion
Prevention System
Slide 25
Event Policies
• You can configure several types of events and
the corresponding responses
• Event policies include:
– Firewall
– Connection Events
– OpenSignature Events
– User Defined Events
– Security Events
Proventia Network Intrusion
Prevention System
Slide 26
Configuring Firewall Rules
• Add firewall rules to drop or block unwanted packets
before they enter your network
• Can define using any combination of the following:
–
–
–
–
Adapter
VLan range
Protocol (TCP, UDP, ICMP)
Source/Target IP address and port ranges
• Firewall rules:
– Work when the appliance is set to Inline Protection mode
– Are triggered on the ingress port
– Are processed in the order listed
Proventia Network Intrusion
Prevention System
Slide 27
Proventia Manager Home Page
• The Proventia Manager Home page provides a
snapshot of the appliance status:
– Proventia Manager navigation tree
– Appliance (Agent) name
– Protection Status
– System Status
– Messages about the appliance
– System Logs and Alerts buttons for each module
Proventia Network Intrusion
Prevention System
Slide 28
Support Page
Proventia Network Intrusion
Prevention System
Slide 29
Notification Options
Proventia Network Intrusion
Prevention System
Slide 30
About the Quarantined Intrusions Page
Proventia Network Intrusion
Prevention System
Slide 31
Firewall Settings
Proventia Network Intrusion
Prevention System
Slide 32
Update Options
Proventia Network Intrusion
Prevention System
Slide 33
SiteProtector Console
• The purpose of the Console is to let you:
– Manage SiteProtector components and agents.
– Monitor security of your network.
• The specific tasks you can perform using Console
depend on your user group permissions.
• Can install Console on any computer that meets
minimum system requirements.
– Not necessary to install Console on a computer that
houses other SiteProtector components.
– Computer with Console must have network access to
SiteProtector Application Server.
• The Console allows you to access and view
multiple SiteProtector sites.
Introduction to Proventia®
Management SiteProtector
Slide 34
Console Window
Introduction to Proventia®
Management SiteProtector
Slide 35
Console Grouping Tools
My Sites tree:
• Allows you to organize
multiple SiteProtector sites.
• Allows you to organize Asset
Groups for:
– SiteProtector components
and agents.
– Network assets.
• Facilitates command and
control, and event analysis.
Introduction to Proventia®
Management SiteProtector
Slide 36
Console Tabs
You can access the following Console tabs using the
drop-down list on the toolbar:
• Summary
• Agent
• Analysis
• Asset
• Policy
• Report
• System
• Ticket
• Traffic Analysis
Note: See training guide for navigation information.
Introduction to Proventia®
Management SiteProtector
Slide 37
Summary Tab
Introduction to Proventia®
Management SiteProtector
Slide 38
Agent Tab
Introduction to Proventia®
Management SiteProtector
Slide 39
Analysis Tab
Introduction to Proventia®
Management SiteProtector
Slide 40
Asset Tab
Introduction to Proventia®
Management SiteProtector
Slide 41
Policy Tab
Introduction to Proventia®
Management SiteProtector
Slide 42
Report Tab
Introduction to Proventia®
Management SiteProtector
Slide 43
System Tab
Introduction to Proventia®
Management SiteProtector
Slide 44
Ticket Tab
Introduction to Proventia®
Management SiteProtector
Slide 45
Traffic Analysis Tab
Introduction to Proventia®
Management SiteProtector
Slide 46