View Presentation - PPT - SANS Technology Institute
Download
Report
Transcript View Presentation - PPT - SANS Technology Institute
Intrusion Detection & Response:
Leveraging Next-Generation Firewalls
Ahmed Abdel-Aziz
November 2009
GIAC (GCIA, GCIH, GSNA, GCUX, GWAPT)
CISSP
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objective
1) Describe Recent Threat Trends & Security Statistics
2) What are Next-Generation Firewalls (NGFWs)
3) How to Leverage NGFWs in Intrusion Detection
NGFWs in Bot Detection & Extrusion Detection
4) How to Leverage NGFWs in Intrusion Response
NGFWs in Incident Handling, NAC, and Application Enforcement
5) Important Planning Considerations
SANS Technology Institute - Candidate for Master of Science Degree
2
Section 1 of 5
Threat Trends & Security Statistics
• Bots Increasing - Trojan variants spiked 300% from
2007 to 08 [source: McAfee Virtual Criminology Report, 2008]
• Compromise Discovery takes at least months, 65% of
the time
• Responding to Compromise takes at least weeks, 63%
of the time
[source: Verizon Business, 2008 Data Breach Investigations Report]
• NGFWs Can Significantly Reduce Compromise Discovery
(specifically Bot detection) & Response Times.
SANS Technology Institute - Candidate for Master of Science Degree
3
Section 2 of 5
NGFWs – The Evolution
• NGFWs Incorporate Multiple Security Services
• NGFWs Not a Solution to Every Problem: (examples)
– Use WAF for web application attacks (XSS, SQL Injection, etc.)
– Use dedicated email security solution for advanced spam filtering
• Firewalls Typically a Prevention Control; NGFWs Can
Also Become a Detection & Reactive Control
– More Effective, Simpler, and Economical Security
SANS Technology Institute - Candidate for Master of Science Degree
4
Section 3 of 5 (Intrusion Detection)
NGFWs in Bot Detection
• What Bots Do:
– Steal Sensitive Info
– Send Spam, Act as Proxy
– Execute DDOS & Other Attacks
Bot Detection Techniques:
• (1) Detection by Using NIPS Component of NGFW
– NIPS Blocks Attacks Originating from Internal Bots
– NIPS Cuts Communication Between Bot & its Command-andControl (C&C) Server using Known Traffic Signatures
(Popular Bots Only, Unencrypted Communication Only)
SANS Technology Institute - Candidate for Master of Science Degree
5
Section 3 of 5 (Intrusion Detection)
NGFWs in Bot Detection
Continued
• (2) Detection by Blocking Protocol Used in Commandand-Control (C&C)
– Stop Storm Bot Updates by Blocking eDonkey P2P Protocol
– Configured in Fortinet Technology using a Protection Profile
• (3) Detection by Logging Violations & Audit Trail
– Add Explicit Deny Rule at End of Firewall Policy for Logging
– Tighten Outgoing Firewall Policy Too – Not Just Incoming
– Network Audit Trail for Traffic Flow Analysis – Anomalies??
(Malware Can be Detected Without Antivirus, Interesting!!)
SANS Technology Institute - Candidate for Master of Science Degree
6
Section 3 of 5 (Intrusion Detection)
NGFWs in Bot Detection
Continued
• (4) Detection by Filtering Malicious Content in Traffic
– Leverage Perimeter Antimalware, Antispam, URL Filtering
– Configured in Fortinet Technology Using a Protection Profile
– Use SSL Inspection for Network Encrypted Protocols:
HTTPS, SMTPS, POPS, IMAPS
• (5) Detection Using DNS Based Techniques
– High Number of MX DNS Requests From Non SMTP Server
– Same DNS Request From Many Internal Hosts At Same Time
– Very Small TTL Values in DNS Replies (FastFlux)
(What’s in Common? ….. DNS Anomalous Traffic)
SANS Technology Institute - Candidate for Master of Science Degree
7
Section 3 of 5 (Intrusion Detection)
NGFWs in Extrusion Detection
• Basic Data Leakage Prevention
– Prevent Confidential Documents Leakage Through HTTP
– Achieved by Defining Watermark & Creating Custom IPS Rule
– Sample Rule for Fortinet NGFW Below:
config ips custom
edit DataLeakageThroughHTTP
set signature 'F-SBID(--name “DLP” --dst_port 80; --flow bidirection; --default_action DROP; --protocol tcp; --pattern
“Organization Confidential X!kltsrodm*(&!sldrk4#dk-+”;
)'
end
• Other Rules Can be Used to Detect Credit Card
Numbers using Regular Expressions
SANS Technology Institute - Candidate for Master of Science Degree
8
Section 4 of 5 (Intrusion Response)
NGFWs in Incident Handling
• Security Incident Took Place While On-site
(Process Proved Effective in Responding to Spambot)
• (1) Identification Phase – Incident Handling Process
– Users Suddenly Unable to Send Email to Any Destination
– nslookup & telnet to Send Email, SMTP Connection Rejected
– Public IP Blacklisted as Spam Sender
– Sudden Spike in Email Activity,
Spambot on the Network
SANS Technology Institute - Candidate for Master of Science Degree
9
Section 4 of 5 (Intrusion Response)
NGFWs in Incident Handling
Continued
• (2) Containment Phase – Incident Handling Process
– Block All Outgoing TCP/25 Except from Mail Server
– Spambots on Network Unable to Send More Spam,
Damage Already Done (Public IP has been Blacklisted)
• (3) Eradication Phase – Incident Handling Process
– Goal: Remove Attacker’s Artifacts
– Spambots Detected by Logging Violations to TCP/25 Rule
Configured in Containment 12 Spambots Detected!
– Eradication Needs Time, Disconnect Bots, Move to Recovery
SANS Technology Institute - Candidate for Master of Science Degree
10
Section 4 of 5 (Intrusion Response)
NGFWs in Incident Handling
Continued
• (4) Recovery Phase – Incident Handling Process
Action 1: (Change Mail Server Blacklisted Public IP)
– In Fortinet Technology, Feature is Called IP Pools
– Effect on Outgoing Mail Traffic Only, Otherwise DNS MX Record
Must be Changed
Action 2: (Remove Public IP from Blacklists)
– Get Blacklists from MXtoolbox.com – Request Removal of IP
• (5) Lessons Learned Phase – Incident Handling Process
– Duration from Identification to Recovery – Only one Hour!!
– Compare to Typical Intrusion Response Time of Weeks
Source: Verizon Business, 2008 Data Breach Investigations Report
SANS Technology Institute - Candidate for Master of Science Degree
11
Section 4 of 5 (Intrusion Response)
NGFWs in Network Access Control
• Pre-Admission Network Access Control in NGFW
–
Checks for Existing, Running & Updated Endpoint
Security Solution (Isolate Hosts with Compromised
Endpoint Security Solution)
–
Pre-build Application White-list & Enable On-Demand
(Isolate Hosts with Unknown Applications Installed)
• Post Admission Network Access Control in NGFW
–
–
–
Isolate Hosts that Originate Attacks Detected by NIPS
Isolate Virus Senders Detected by Antimalware
Isolate Hosts Violating Configured DLP Rules
• Allows Very Fast Response Time (Self DOS Potential)
SANS Technology Institute - Candidate for Master of Science Degree
12
Section 4 of 5 (Intrusion Response)
NGFWs in Application Enforcement
• Enforcing Application Use
–
–
–
–
Only Windows Firefox Allowed as a Web Browser
IPS –ve Security Model Becomes +ve Security Model
Achieved by Creating Custom IPS Rule on NGFW
Sample Rule for Fortinet NGFW Below:
config ips custom
edit NotFirefoxBrowserOnWindows
set signature 'F-SBID(--name “App Enforcement” --service HTTP; -default_action DROP; --flow established; --pattern “GET”; -context header; --pattern !“User-Agent: Mozilla/5.0
(Windows: U: Windows NT 5.1: en-us: rv:1.9.0.5)
Gecko/2008120123 Firefox/3.0.5\r\n”; --context
header; )'
end
SANS Technology Institute - Candidate for Master of Science Degree
13
Section 5 of 5
Important Planning Considerations
• Proper Product Selection & Sizing Key to Performance
– Research Underlying HW Technology & SW Integration
– Datasheet Figures not Enough, Check Independent Testing
Lab Certification for Real-World Performance
Ex: NSS Labs Report on the FortiGate 3810A NGFW States
“Sustained 270Mbps Throughput with all Security Services
Enabled”
• Check Quality of Security Services Included in NGFW
(ICSA Labs Certification for IPS, Firewall, AntiMalware, etc…)
• Avoid Single Point of Failure by Clustering;
Decide whether to Fail Open or Closed
(Balance Availability need with Confidentiality & Integrity Need)
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
• Statistics Demonstrate Improvement Needed in
Current State of Intrusion Detection & Response
• NGFWs Can be Leveraged to Significantly Improve
Intrusion Detection & Response Times
Including Bot Intrusions
• Planning Deployment Critical to Reap Rewards
• Paper in SANS Reading Room Includes More Info
http://www.sans.org/reading_room/whitepapers/firewalls/intrusion_
detection_and_response_leveraging_next_generation_firewall_techn
ology_33053 or … search on “NGFW” in SANS site
SANS Technology Institute - Candidate for Master of Science Degree
15