Transcript IntruShield, Not a Panacea (But Close)

McAfee and Georgia State
University---Taking Aim at Network
Intruders With Intrushield’s
Intrusion Prevention System
Tammy Clark, Chief Information Security Officer,
William Monahan, Lead Information Security Administrator
Bill Boyle, Product Line Executive, Network Security
Today’s Agenda
–
–
–
–
–
–
–
–
–
–
–
A Little Background Info
Bad Guys are Getting Smarter
IntruShield, Not a Panacea (But Close)
One Size Does Not Fit All (Child Domains)
Application of Sigs – Not For the Faint of Heart
Leveraging Stateful Firewall
Unidirectionaly Blocking P2P
Hypercommunicate
Dealing with: “The FW Broke it”
McAfee IntruShield Architecture
Network Class Hardware
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
A Little
Background Info
• GSU’s information security program launched in 2000
w/one staff member (now have three)
• Decentralized information technology environment –
success through tools, governance, &
cooperation/collaboration w/stakeholders
• Information Security Department & Office of
Disbursements recommended for ISO 27001
Certification by BSI in 2008 (incrementally expanding
the scope)
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Bad Guys are
Getting Smarter
• 2004 – Phishing
2008 – Spear Phishing (highly targeted/sophisticated)
• 2004 – BOTs easy to find via monitoring IRC channels
2008 – Command/control w/common ports & encryption
• 2004 – Exploits targeting OS vulnerabilities & some Apps
2008 – Exponential growth in exploits targeting Apps
• 2004 – Users had to click on a link to obtain malware
2008 – Downloaders via compromised “legitimate” sites
are killing us
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes,
provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires written permission from the author.
IntruShield, Not a
Panacea (But Close)
• IntruShield 4000 Appliance Deployed in August
of 2004 on the Perimeter (a lot of questions/uncertainty)
• Advantages of IPS (Intrusion Prevention System) as
Opposed to Traditional FW Technologies
• Lessons Learned & Best Practices
– One size does not fit all (unique policies for different
colleges/departments)
– Incremental application of signatures w/change management &
change control
– Leveraging stateful firewall in conjunction w/signatures
– Success with unidirectionaly blocking P2P
– Hypercommunicate – reporting , change management & control
– Dealing with: its gotta be the FW
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
One Size Does Not Fit
All (Child Domains)
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes,
provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires written permission from the author.
Application of Sigs –
Not For the Faint of
Heart
Incremental Approach
Change Management &
Control
Tie Filtration Back to
Policy
Beware of the
Complacency
No mods after
Wednesday @ 3:00 PM
Which Direction?
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes,
provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires written permission from the author.
Leveraging Stateful
Firewall
The “Nuclear Option”
for Colleges &
Departments
Protection for System
IP(s) that Process
“confidential”
information (HIPAA,
FERPA, Visa PCI…)
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes,
provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires written permission from the author.
Unidirectionaly
Blocking P2P
February 2006 – wireless networks on verge of collapse due to ubiquitous
P2P traffic & inordinate amount of copywrite infringement notifications –
referenced Server Registration Policy & blocked outbound traffic
Totally blocked for areas that process “confidential” information
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes,
provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires written permission from the author.
Hypercommunicate!
• Daily Attack Reports to IT Managers – Outbound High & Medium Attacks –
Increased Awareness Spawned Filtration Requests & Disciplinary Action
• Monday afternoon change management change control meetings
• Monthly Information Technology Security and Support Subcommittee
(ITSSS) meetings
• Email broadcasts – Example: system wide notification for remote access
filtration (SSH, IRC, pcAnywhere, Remote Desktop Protocol, VNC…)
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes,
provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish requires written permission from the author.
Dealing with: “The
Firewall Broke It”
80% of the “The Firewall Broke It” issues are quickly disproved via VPN
session or generating an IntruShield report.
Other options include punching a “really big hole” or placing IntruShield in
fiber bypass mode.
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
McAfee IntruShield
Architecture
Network Class
Accurate
IntruShield
Real Events Are
Found In
Real-Time
Decrease
OpEx
Set and Forget
Short Learning Curve
Easy To Use
30,000 to 30
Network Class
Hardware
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Network Class
Hardware
M-8000
10Gbps
M-6050
5 Gbps
I-4000
2 Gbps
I-3000
1Gbps
I-2700
I-1400
600Mbps
200Mbps
I-4010
I-1200
100Mbps
SMB & Branch Office Enterprise Perimeter
Enterprise
Service Providers
Enterprise Core
Service Providers
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.
McAfee IntruShield
Architecture
Network Class
Accurate
IntruShield
Real Events Are
Found In
Real-Time
Decrease
OpEx
Set and Forget
Short Learning Curve
Easy To Use
30,000 to 30
Powerful Alert Analysis
IntruShield’s Collaborative
Security Infrastructure
Integration with ePO
• Faster time-to-protection/time-to-resolution
with real-time visibility of system host
details, top Host IPS attacks & AV/spyware
events
McAfee
IntruShield
Integration with Foundstone
• Real-time Risk-Aware IPS with on-demand
threat relevancy and Foundstone ‘scan
now’ functionality
McAfee
IntruShield
Integration with McAfee NAC
• Behavior-driven host quarantine and
Dynamic NAC for real-time post
admission control of managed and
un-managed hosts
McAfee
ePO
McAfee
Foundstone
McAfee
IntruShield
McAfee
ToPS
Enterprise
ePO Host Details in ISM
ePO Host Details in ISM
Integration with IntruShield =
Risk-Aware IPS
Risk-Aware
Intrusion
Prevention
IntruShield Alert Viewer provides alert & risk
relevancy, based on Foundstone scan data
Foundstone Integration
McAfee IntruShield
Architecture
Network Class
Accurate
IntruShield
Real Events Are
Found In
Real-Time
Decrease
OpEx
Set and Forget
Short Learning Curve
Easy To Use
30,000 to 30
Questions?
• Tammy Clark – [email protected]
• Bill Boyle – [email protected]
• William Monahan – [email protected]
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to republish requires written permission from the author.