Transcript Stateless Checks - ISSA|Pittsburgh Chapter

Industry Overview
Victor Kasacavage
Copyright © 2003 Juniper Networks, Inc.
Proprietary and Confidential
Systems Engineer
Proprietary and
Confidential
www.juniper.net
Juniper
Networks
1
Agenda
 Why does security matter?
 Types of Protection
 IDS vs IPS
 Layer 7 vs Layer 4
 Attack Phases and Tools
 Summary
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
2
Why Do People Care?
Money
 Service Providers
• Loss of bandwidth/connectivity = Loss of product = Loss of reputation
• Theft of customer info = Loss of reputation
 Enterprise
• Loss of productivity = Loss of immediate business + future business
• Loss of intellectual property
 User
• Loss of passwords = network vulnerability
• Loss of personal identity/passwords = theft
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
3
Security Has Changed
An incident may involve one site or
hundreds (or even thousands) of sites.
Also, some incidents may involve ongoing
activity for long periods of time.
Security Incidents Reported by Year
Number of Incidents
160000
“Given the widespread use of
automated attack tools, attacks
against Internet-connected
systems have become so
commonplace that counts of the
number of incidents reported
provide little information with
regard to assessing the scope
and impact of attacks. Therefore,
as of 2004, we will no longer
publish the number of incidents
140000
120000
100000
80000
60000
40000
20000
2003
2002
2001
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
1990
1989
1988
0
reported.”
Year
Source: CERT Coordination Center
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
4
If You Sell It, They Will Buy
• Market doubled in 2005 for IPS, over half a billion for IDS/IPS this year
• IPS one of fastest growing segments in industry
• IDS users moving to IPS!
• “Most of the market remains a green field of prospects with interest and demand”*
Worldwide Network-Based IPS and IDS Product Manufacturer Revenue
224
238
195
l
na
o
0
iti
e
d
n
a
-li
Tr
In CY01
265
255
251
260
7
43
CY02
CY03
*Network Security and Intrusion Prevention, ESG, Jan 2005
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
356
244
IDS
Proprietary and Confidential
422
IPS
485
$400
$200
129
CY04
CY05
CY06
CY07
Revenue
($M)
$600
249
$0
CY08
Calendar Year
Proprietary and Confidential
www.juniper.net
www.juniper.net
5
Types of Protection
Vulnerability
Threat
What technologies are available today?
 Firewalls Risk =
X
Asset Value
X
•Controls access between networks
•Some firewalls have more advanced inspection methods
•Limits access to provide security
Countermeasures
$
 Antivirus
•Inspects
for viruses
in files or network
traffic
 The market
would
buy insurance,
if it only
knew what to buy!
•Prohibits viruses embedded in files
•Available
as a host software
software/devices
• Must
be comprehensive
(notoranetwork
half-solution)
•Market began with host software, and is further developed
•
Must be implementable
 Intrusion
Detection Systems/Intrusion Prevention Systems
SOX
•Watches for attacks on networks or on the host
CESG
HIPAA
• Must
be actionable
(not just
advice)if a suspected intrusion has taken place
•Evaluates
network traffic
to determine
Basel
•Signals an alarm, creates a log, (IDS/IPS) or drops traffic (IPS) (One or
all) II
• Should
help as
with
compliance
issueshost software
GLB
•Available
network
software and/or
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
6
Intrusion Detection & Intrusion Prevention
IDS and IPS are designed to protect from:
• Network Worms
• Non-File Based Trojans
• Spyware/Adware/ Keyloggers “phoning-home”
• Other Malware &
Zero-Day Attacks
• DOS
Product
What it does
Pluses
Minuses
Intrusion
Detection
System
 Hangs off switch (SPAN)
or wire (TAP)
 Examines inbound and
outbound network traffic
for attacks but does not
block them
 Responds with an alert
 Usually PC-based
 Does not slow network
 Cannot operate inline
 Cannot block traffic
 Does not take any action…just
sends an alert
 Can generate a data overload
(tons of alerts)
 Can be very hard to manage
 Deployed inline but some
can also be deployed in
IDS mode
 Examines network traffic
for attacks and can alert
and/or block
 Often purpose-built
 Can be placed inline
 Can be configured to
drop traffic without
requiring any user
intervention (hence can
be easier to manage)
 Can be used to deliver
true application visibility
 Since it operates inline, it can
introduce extra latency and an
extra failure point
 Differences in attack coverage
and accuracy between vendors
may cause customers to wrongly
compare on performance
(IDS)
Intrusion
Prevention
System
(IPS)
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
7
A Complete Solution
At a minimum, the enterprise needs:
• Firewall – necessary for first line perimeter defense
• Host-based antivirus – prevents many viruses where they start
• Network intrusion detection and prevention solution –
• Need application layer visibility to stop only attacks real-time
• Full Layer 7 application visibility, which provides:
• Context – not just the “bits” or “words,” but the “conversation”
• Application/Protocol Breadth – Insight into many different protocols
• 2-Way Traffic Inspection – not just one direction of data, but both directions
• “Zero-Day” Intelligence – not just known attacks, but unexploited vulnerability protection
and protocol anomalies
• Different detection methods for different phases of attack
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
8
Context
Layer 7 IPS vs Layer 4 IPS Concept
• Precise L7 Pattern Match
• Can perform Protocol Anomaly
• Can detect zero-day attacks
Basic error-prone Pattern Match
Extract
• application state,
• application message,
• application message value
0010100101010101010
Layer 7 processing
Layer 4 processing
11001001100011110010101010110101001011111001101010010110101010001010010101010101010101011110000111010101010111010101101101010110010101010101010100
Traffic Bit Stream
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
9
Protocol Breadth
• Compares protocol behavior as seen in the traffic to the protocol RFC
• Requires support of many common protocols
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
10
Two-Way Traffic Inspection
Must look at incoming and outgoing traffic
One-way IPS inspects
only request side
1
2
Let ALL response
traffic through
Two-way IPS inspects
both request….
1
2
AND response
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
11
Context + Protocol Breadth + 2-Way
Need all for Zero-day protection
• Zero-day attacks have no signatures
• They can be discovered only with a combination of:
• Layer 7 information
• Protocol behavior comparisons
• Both sides of the network “conversation
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
12
Attack Phases and Tools
 Different methods for different attack phases
• Preparing to attack – the recon phase
• External and internal attacks
• Unknowing employees bring in infection
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
13
Detection Methods
 Protocol Anomaly
 Stateful Signatures
 Backdoor Detection
 Traffic Anomaly
 Syn-Flood Detection
 IP Spoof Detection
 Layer 2 Detection
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
14
Multiple Methods Of Detection:
Recon Detection
The attacker is trying to find vulnerabilities
Traffic Anomaly Detection


Notes unusual traffic based on
admin-configurable rules
X ports per Y time; X IP addresses
per Y time; X sessions per Y time
Network Honeypot


Impersonates services, sending fake
information in response to scans to
try an entice attackers to access the
non-existent services.
Real Server
Fake Server
FTP, SSH, Telnet
There is no reason for legitimate
traffic to access these resources
because they don’t exist, so any
attempt to connect constitutes an
attack.
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Real Server
Proprietary and Confidential
www.juniper.net
www.juniper.net
15
Multiple Methods Of Detection:
Attack Detection
The attacker has identified vulnerabilities or proceeded
Establishes connection
Protocol Anomaly Detection


Compares how traffic to protocol
specification
Only as useful as the number of
protocols supported
Server expects <256 bytes
Attacker sends 512 bytes!
Stateful Signatures



Tracks state of the network
“conversation.”
For example, differentiates control
portion from body of e-mail
Significantly reduces false positives! CNTL > expn root
CNTL > From, To
Data > expn root is
an exploit…
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
16
Multiple Methods Of Detection:
Propagation/Proliferation Detection
Initial attack has succeeded and is now proliferating
Spyware


Recognizes spyware when it
attempts to “phone home:
Identifies source of message, so it
can be eliminated before it spreads
Download “freeware”
(with a spyware surprise)
Backdoor Detection



Attackers can send a worm or Trojan
is downloaded with something else
Attacker will activate it to open a
backdoor into the network
IDP recognizes the non-allowed
interactive traffic between the
attacker and the worm.
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
IM (with a surprise!)
Dormant til the attacker
“opens the backdoor”
Proprietary and Confidential
www.juniper.net
www.juniper.net
17
Multiple Methods Of Detection:
Propagation/Proliferation Detection
Initial attack has succeeded and is now proliferating
IP Spoof Detection



SRC-IP
DST-IP
DST-Port
10.1.1.1
10.1.1.55
53
DATA
Attacker spoofs IP addresses to
make it look the message is coming
from inside the network
Just define IP subnets behind each
interface
Validate source IP against inbound
interfaces.
10.1.1.0/24
Layer 2 Attack Detection





arpspoof’ and ‘dsniff’
MAC/IP flip-flops between interfaces
Mismatch between Ethernet frame and
ARP header
IP address change for the same MAC
Invalid ARP request/reply frames
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Typical ARP request/reply
Forged ARP packet
Proprietary and Confidential
www.juniper.net
www.juniper.net
18
Summary - IPS Selection Criteria
 Detection Methods
 Network and Application Visibility
 Accuracy
 Management and Ease of Use
 Throughput
 System Transparency
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Proprietary and Confidential
www.juniper.net
www.juniper.net
19
Juniper Standalone IDP Product Line
IDP 1100C/F
Large central site or high
traffic areas
• 1 GB Max Throughput*
IDP 600C/F
IDP 200
Medium central site and
large branch offices
IDP 50
Small network segments
or low speed links
• 50Mb Throughput
• 250Mb Throughput
• 50,000 Maximum Sessions
• 1 GB Memory
• HA Clustering
and Integrated Bypass Ports
• 10,000 Maximum Sessions
• 1 GB Memory
• Integrated Bypass Ports
*As tested with IDP 3.0 software
Copyright ©
© 2006
2003 Juniper
Juniper Networks,
Networks, Inc.
Inc.
Copyright
Proprietary and Confidential
Medium to large central
site or high traffic areas
• 500Mb Throughput
• 200,000 Maximum Sessions
• 4 GB Memory
• HA Clustering
• Fiber or Copper Gigabit Port
Versions
•Dual SCSI drives and redundant
power
• 500,000 Maximum Sessions
• 4 GB Memory
• HA Clustering
• Fiber or Copper Gigabit Port
Versions
•Dual SCSI drives and redundant
power
All contain full IDP
features and are
managed using the same
interface
=
Increased Security
throughout the Network
& Lower TCO
Proprietary and Confidential
www.juniper.net
www.juniper.net
20