Transcript Document
eEye Digital Security
eEye Background
•
A three year old security software company
•
Based in Southern California with offices in Geneva, London
and Madrid
•
Creates cutting edge security software:
– Retina™, the Network Scanner
– SecureIIS™, an Application Firewall for Internet
Information Server
– Iris™, the Network Traffic Analyzer
•
Very active in research and development in the digital
security community through numerous advisories
•
Extensive base clients in over 40 countries
Computer Consulting
Partners Ltd.
CCP Ltd. Background
•
A three year old security consulting company
•
Based in Phoenix, Arizona.
•
Provide consulting, design, implementation, and support of
Network Enterprise Solutions focusing on Internet, Intranet,
and Extranet Security.
•
Client base includes fortune500 companies and
governmental agencies.
•
Computer Consulting Partners, Ltd. has partnered with eEye
to provide the highest quality of information security
consulting and products.
eEye Client List
eEye Digital Security
Some of the world’s leading corporate and government entities
secure their networks with our products:
•
•
•
•
•
•
•
•
•
•
•
Intel
University of Chicago
IBM Corp.
Dartmouth Medical
School
US Navy
CMGI
Dupont
Federal Reserve Bank
Southern California
Edison
AT&T
Microsoft
•
•
•
•
•
•
•
•
•
•
•
Lotus
FAA
KPMG
Arthur Anderson
Bank of America
PR Newswire
EDS
Domainnames.com
Bid.com
University of California Los
Angeles
Ernst & Young
eEye Digital Security
Competitive Positioning
eEye Digital Security
eEye Product Positioning
•
Focus on developing best-of-breed security software
products
•
Complement existing tools such as Firewalls and Intrusion
Detection Systems
•
Provide the network administrator with user friendly tools
that help them keep up with ever changing security
requirements
•
Provide security consultants with powerful tools that will
significantly increase their efficiency and ability to deliver
services
Computer Consulting
Partners, Ltd.
CCP Ltd. Positioning
•
Focus on providing our clients with state-of-the-art security
solutions, using best of breed products.
•
Focus on providing our clients with high quality audits and
assessments of their current IT infrastructure vulnerabilities.
•
Focus on providing our clients with state-of-the-art
penetration testing techniques.
•
Enable our clients to understand and support the solutions,
after we leave.
•
Support the client to enable their success.
eEye Digital Security
There are Several Equally Vital Tools to Securing a
Network
Intrusion Detection
Systems (IDS)
Firewall
Vulnerability
Scanner
Your
Network
Reactive
Network
Traffic
Analyzer
Proactive
Virus Scanning
Application
Security
eEye Digital Security
eEye Focuses on Proactive Security Tools
Intrusion
Detection
System (IDS)
F
I
R
E
W
A
L
L
Virus Scanner
Retina™
Network
Security Scanner
Your
Network
SecureIIS™
Web Application
Firewall
Iris™
Network
Traffic
Analyzer
Computer Consulting
Partners, Ltd.
The CCP and eEye Partnership
•
While eEye focuses on proactive Security products, CCP
focuses on all-encompassing security solutions.
•
Utilizing our partnerships with best of breed vendors, like
eEye, we can offer solutions that fit your needs.
Computer Consulting
Partners, Ltd.
CCP Focuses on enabling all-encompassing
Security Solutions and Proactive Services.
ISS RealSecure
Tripwire
Snort
Checkpoint
Firewall-1
Or
Cisco Pix
TrendMicro
Virus Scanner
VPN access
and Link
Encryptors
Your
Network
Traffic Analysis
And
Infrastructure Audit
Vulnerability
Assessments
Biometrics
And
Access
Control
Secure Design of
Application and Service
infrastructure
eEye Digital Security
Retina
The Network Security
Scanner
eEye Digital Security
Retina – What it Does
• Retina scans a server, workstation, firewall, router, etc for
vulnerabilities. Input in Retina the IP address or URL of a machine
(say www.eEye.com) and Retina will audit that machine
• The result is an interactive or printable report listing all the
vulnerabilities on that machine
• For each of the vulnerabilities, Retina provides a risk
assessment and indicates how to fix it by either providing the
appropriate patch link or by providing with a step by step
procedure of how to configure the machine to fix the problem
• For many vulnerabilities, Retina has a revolutionary “Auto FixIt” capability that makes the required system changes
eEye Digital Security
Sample Retina Screen Shot
Scanned
Computer
Identified
Vulnerabilities
Auto
Fix
Risk Level
Selected
Vulnerability &
Description
Fix Description
Retina Features – Vulnerability Auditing Modules
eEye Digital Security
Retina includes vulnerability scanning and auditing for the
following systems & services:
-
NetBIOS
HTTP, CGI and WinCGI
FTP
DNS
DoS
POP3
SMTP
Registry
Services
Users and Accounts
Password vulnerabilities
Publishing extensions
-
Database servers
Firewalls and Routers
Proxy Servers
Web Interfaces
Files and permissions
Unix RPC services
NFS mounts
IMAP
LDAP
SSH
Telnet
SNMP
Trojans
DDoS Agents
eEye Digital Security
What Makes Retina Unique
•
Fastest scanner in the market
•
Incorporates NMAP Fingerprint Database and NMAP
functionality
•
Smart port scanning
•
CHAM [Common Hacking Attack Methods] – Artificial
Intelligence that looks for unknown vulnerabilities
•
Open architecture and API for custom audit development
•
Complete control over policy and audits
•
No limitations on the specific IPs audited
•
Auto “Fix-It” feature
•
Auto Update feature
•
Smart Reporting – reporting modifies according to level of risk
•
Custom Reporting – modified by client of service provider
Retina Features
eEye Digital Security
•
•
•
•
Smart Scanning
Security scanners on the
market assume that a certain
port is a certain protocol
Retina never assumes anything.
It analyses specific input/output
data on a port to determine
what protocol and service is
actually running
Open Architecture
Retina offers the flexibility to
create customized modules
with any programming
language, including Perl, C,
C++, Visual Basic, Delphi etc.
With our new RTH Wizard,
administrators can create
custom audit on the fly
CHAM (Common Hacking Attack
Methods)
•
CHAM learns as much information as
possible about your network to discover
unknown vulnerabilities
•
Based on this information, CHAM then
performs hacking attacks on several
protocols that you may pre-select in the
Policies menu (FTP, POP3, SMTP, HTTP)
•
•
Fix-it
For certain vulnerabilities that
require configuration changes, Retina
provides the ability to auto-fix the
problem
The feature saves network
administrators and consultants
significant time
Retina Features
eEye Digital Security
Policies
•
Retina allows total flexibility on which
•
audits to perform (ports, audit
classes etc.)
•
For example, create a policy that
only audits DoS vulnerabilities or
define the NT IP Fragment
Reassembly audit within the DoS
class
•
Smart Reporting
•
Retina produces highly customizable
reports of network scans and the
technical sophistication of the targeted
report audience
•
The reports can be highly “white-labeled”
•
The reports provide vivid graphical
representation of the vulnerability and
risk profile of a scanned host or network
Auto update
There are 10 to 50 vulnerabilities
discovered every day . eEye
discovers many of these and
regularly updates its vulnerability
database
Retina users are able to regularly
update their vulnerability database
through a simple Retina interface
over a normal internet connection
How does Retina stack up to the competition?
eEye Digital Security
FEATURES
Smart
Reporting
Smart
Scanning
NETWORK VULNERABILITY SCANNERS
eEye
Retina
ISS
Scanner
NAI
Cybercop
Bindview
BV-Control
Symantec
NetRecon
√
√
√
√
√
√
√
√
√
√
√
√
√
Autofix
√
Auto Update
√
CHAM
√
Open
Architecture
Centralized
Management
√
√
√
Retina is the FASTEST Security Scanner on the market
Includes “Fix-It” option
Known for ease-of-use.
√
eEye Digital Security
SecureIIS
The Application Firewall For
Microsoft’s IIS Web Server
eEye Digital Security
The Issue That SecureIIS Addresses
•
Web servers are the most vulnerable part of a network since
they are open to the public and must allow various forms of
traffic to enter the server
•
Traditional server protection such as network firewalls and
intrusion detection systems are not always able to protect a
server for several reasons:
• Firewalls and IDS systems rely on a database of known
hacker attack signatures
• Hackers are able to slightly modify attacks to get around
these systems…
• … the IT administrator may not have updated the systems
with the latest database…
• … Or, worst yet, there are types of attacks that have not
been identified by security organization (unknown
attacks.)
eEye Digital Security
The Issue That SecureIIS Addresses
•
Microsoft’s IIS (Internet Information Services) is a very
popular Web server application running on approximately 8
million servers worldwide
•
IIS is notorious for being susceptible to hacker attacks
• Over the last few years, Microsoft has released several
security updates and patches to cover discovered
vulnerabilities
• Security research firms continue to uncover more
vulnerabilities. eEye recently uncovered two major
vulnerabilities, one of which was leveraged by Code Red
Worm
•
IT Administrators tend to share a growing frustration with
maintaining the security of IIS…
•
…A great lead in for the value of SecureIIS
SecureIIS – The Application Firewall
eEye Digital Security
•
•
•
•
•
•
SecureIIS is an “Application Firewall” designed specifically
to protect IIS
SecureIIS is not dependent on a vulnerability or attack
signature database
SecureIIS protects against “classes” of hacker attack.
Instead of looking for specific attack signatures, it blocks
entire classes of attack by detecting their overall
characteristics
The application, an extension of the eEye CHAM technology
in Retina, “understands” how a web server behaves. Any
activity on the network contrary to this authorized
behavior is stopped.
SecureIIS has been shown to prevent attacks that leverage
known vulnerabilities…
… In the case of Code Red, SecureIIS protected its clients
from that worm before the worm was discovered by the
industry
SecureIIS Product Features
eEye Digital Security
SecureIIS wraps around Internet Information Server and
works within it, verifying and analyzing incoming and
outgoing Web server data for any possible security breaches
The Classes of Attack That SecureIIS Protects Against:
• Buffer Overflow Attacks
• High Bit Shellcode Protection
• Parser Evasion Attacks
• Directory Traversal Attacks
• General Exploitation
• Banner replacement
• Logging of failed requests
Product Interface
eEye Digital Security
Multiple Web sites
on a single server
can be protected
The user can
configure the
parameters that are
protected in each of
the classes of attack
Classes of hacker
attacks blocked –
Each represent a
category of attack
with sub-categories
that are
configurable
Each class of attack is
described in detail with
assistance on
configuration
eEye Digital Security
Product Interface
SecureIIS also
protects IIS-related
applications such as
Frontpage and
Outlook Web
Access
eEye Digital Security
Description of the Classes of Attack
Buffer Overflow Attacks
Buffer overflow vulnerabilities stem from problems in string handling. Whenever a
computer program tries copying a string or buffer into a buffer that is smaller than itself, an
overflow is sometimes caused. If the destination buffer is overflowed sufficiently it will overwrite
various crucial system data. In most situations an attacker can leverage this to takeover a
specific program's process, thereby acquiring the privileges that process or program has.
SecureIIS limits the size of the "strings" being copied. Doing this greatly reduces the chance of a
successful buffer overflow.
Parser Evasion Attacks
Insecure string parsing can allow attackers to remotely execute commands on the
machine running the Web server. If the CGI script or Web server feature does not check for
various characters in a string, an attacker can append commands to a normal value and have the
commands executed on the vulnerable server.
Directory Traversal Attacks
In certain situations, various characters and symbols can be used to break out of the
Web server's root directory and access files on the rest of the file system. By checking for these
characters and only allowing certain directories to be accessed, directory traversal attacks are
prevented. In addition, SecureIIS only allows clients to access certain directories on the server.
Even if a new hacking technique arises, breaking out of webroot will still be impossible.
General Exploitation
Buffer overflows, format bugs, parser problems, and various other attacks will
contain similar data. Exploits that execute a command shell will almost always have the string
"cmd.exe" in the exploiting data. By checking for common attacker "payloads" involved with
these exploits, we can prevent an attacker from gaining unauthorized access to your Web server
and its data.
eEye Digital Security
Description of the Classes of Attack
HTTPS/SSL Protection
SecureIIS resides inside the Web server, thus capturing HTTPS sessions before and
after SSL (Secure Socket Layer) encryption. Unlike any Intrusion Detection System or firewall
currently on the market, SecureIIS has the ability to stop attacks on both encrypted and
unencrypted sessions.
High Bit Shellcode Protection
Shellcode is what is sent to a system to effectively exploit a hole called a "buffer
overflow". High Bit Shellcode Protection offers you a high degree of protection against this type
of attack because it will drop and log all requests containing characters that contain high bits.
All normal Web traffic, in English, should not contain these types of characters and almost all
"shellcode" requires them to produce the effective exploit.
Third Party Application Protection
The power of SecureIIS is not limited to IIS specific vulnerabilities. SecureIIS can
also protect third party applications and custom scripts from attack. If your company has
developed customized components for your Web site, components that might be vulnerable to
attack, you can use SecureIIS to protect those components from both known and unknown
vulnerabilities. Let SecureIIS work as your own web based “Security Quality Assurance”
system.
Logging of Failed Requests
In the installed SecureIIS directory, we post a file called SecureIIS.log. This file
contains a log of all attacks and what triggered the event that caused SecureIIS to drop the
connection. This is an effective way to monitor why requests are being stopped, and who is
requesting things that they shouldn't. Since SecureIIS enforces a strong security policy for how
sites are configured, you can use this log to find places where your Web site may not be acting
correctly due to an insecure setting. Also, since Internet Information Server has the
unfortunate habit of not logging attacks like buffer overflows that are successful, a twofold
security benefit is provided here. Such attacks are not only stopped, but also logged so you
can take action accordingly.
eEye Digital Security
Iris
The Network Traffic
Analyzer
eEye Digital Security
Iris – The Network Traffic Analyzer
•
Iris is a revolutionary product and has very little competition
in the market.
•
In “promiscuous mode”, it captures all data traffic within a
network. For example, when a web page is served, the data
is available on the entire network, but only one computer is
“listening” for it. A machine in “promiscuous mode” would
also pick up that data.
•
The challenge is organizing and understanding the massive
amount of data a compute in promiscuous mode would pick
up.
eEye Digital Security
Iris – The Network Traffic Analyzer
•
Iris organizes and displays data packets, their origin, their
destination and other technical information.
•
Most importantly, Iris recognizes various protocols (HTTP,
POP3, SMTP, etc.) and decodes these packets into
recognizable forms such as web pages.
•
This allows Iris to act as a video recorder of the activity of
network users, giving the network owner tremendous control
over the network.
•
Iris is also capable of monitoring and alerting for various
variables such as words (pornography), IP addresses
(competitors, restricted sites) and more.
Iris – Screen Shot
eEye Digital Security
Data Pack
Analysis of a
specific data
packet
eEye Digital Security
Iris – Screen Shot
Network
Users
What is
SKYWALKER
looking at?
The Decoder
Iris Features
Monitoring Users
eEye Digital Security
•
•
•
Network VCR’s
Iris decodes most non-encrypted
network protocols such as HTTP,
POP3, SMTP and many others.
With the click of a button you will
know which site network users have
visited, and will regenerate visited
web pages with formats and content.
•
Iris monitors non-encrypted webbased mail, messenger service and
chat activity.
•
•
Iris has the ability to act as a “VCR”
for your network by recording all
information traveling across a
network.
Recorded information can be
viewed and decoded in real-time or
played back at a later time.
This network “VCR" capability also
demonstrates Iris’ unrivaled easeof-use.
Screening Tools
•
Iris monitors network traffic by setting
numerous screening criteria.
•
Monitor and record network traffic based on a
specific MAC address, IP address, word,
protocol, etc.
eEye Digital Security
Building successful security infrastructures
Some Information to Help
You Build a Successful
Security Infrastructure
eEye Digital Security
Digital Security - The Problem is Real
•
90% of companies surveyed by the FBI have detected cyber
attacks recently
•
Disgruntled employees, industrial espionage, and data theft
are responsible for 70-80% of security breaches
•
Increase in external threats from hackers, ex-employees,
competitors and cyber terrorists
•
The rise of “Script Kiddies” - Hackers who do not target
specific organizations, but run scripts scanning the net for ANY
vulnerable network
eEye Digital Security
Digital Security-The Problem is Real
•
273 organizations reported $265 Million dollars in financial
losses in the year 2000
•
Financial losses due to cyber attacks in the year 2000, were
higher than 1997,1998 and 1999 combined
•
The annual loss from computer network crime is $550
million annually in the U.S. alone*
Survey by Computer Security Institute (CSI) and the Federal Bureau of Investigation, 2000
*National Center for Computer Crime Data in Santa Cruz, California
Seven Fatal Digital Security Management Errors
eEye Digital Security
1. Relying primarily on a firewall for security perimeter
protection.
2. Failure to realize how much money information and
organizational reputation are worth.
3. Pretending the problem will go away.
4. Authorizing reactive, short-term fixes so problems re-emerge
quickly.
5. Failure to deal with the operational aspects of security: make
a few fixes and then do not follow through to ensure the
problem stays fixed.
6. Failure to understand the relationship of information security
to the business problem – they understand physical security,
but do not see the consequence of poor information security.
7. Assigning untrained people to maintain security and provide
neither the training nor the time to make it possible to do the
job.
eEye Digital Security
Typical Security Parameter Failures
•
Management and support personnel often rely exclusively on firewalls and ignore
internal digital security considerations
•
Members of your organization can easily request that analog lines be installed at
their workspace. These are often used to connect to ISP’s or to set up dial-in
access to their desktop system, thus bypassing any protection from the security
perimeter
•
Some network services (e.g., ftp, tftp, http, sendmail) destined for internal hosts
are passed through the security perimeter control points unscreened
•
The firewall hosts or routers accept connections from multiple hosts on the internal
network and from hosts on the DMZ network
•
Access lists are often configured incorrectly, allowing unknown dangerous services
pass through freely
•
Logging of connections through the security perimeter is either insufficient or not
reviewed on a regular basis
•
Hosts on the DMZ or hosts running firewall software are also running unnecessary
services such as tftp, telnet, rpc, mail, etc.
•
Support personnel use telnet or other unencrypted protocols for managing the
firewalls and other DMZ devices
•
People frequently implement encrypted tunnels through their security perimeter
without fully validating the security of the endpoints of the tunnel
Computer Consulting
Partners, Ltd.
Digital Security Best Practices
•
An understanding of the risks to your environment.
CCP can assess the risks facing your networks.
•
A suite of host and network based security auditing and
improvement tools
CCP and eEye can provide state-of-the-art tools to help you.
•
An understanding of the business needs and processes to meet
those needs.
CCP can help you realize these processes and implement solutions
that ensure security success, without interfering with business
needs.
•
A strong commitment from upper management to support your
roadmap for security infrastructure improvements and to provide
sufficient resources to get the work done
CCP can provide the knowledge resources to get the job done
right. A security mission statement and the associated guiding
principals
Computer Consulting
Partners, Ltd.
Digital Security Best Practices
•
A security awareness program that reaches everyone in the
organization
CCP can help you develop a security awareness program to keep
your assets safe.
•
Clearly defined implemented and documented security policies and
procedures that are supplied to everyone within the organization
CCP can help you document and implement policies that can help
protect your digital assets.
•
A three to five year roadmap for security infrastructure
improvements
CCP can help you understand where you are… and enable you to
be where you want to be in the future.
•
A dedicated team of trained security professionals and consultants
to make it all happen.
CCP & eEye can help you make it happen.
4800 N. 7th St.
Phoenix, AZ 85014
Phone: (602) 277-2285
Toll-Free: (800) 665-0959
Fax: (602) 277-8099
E-Mail: [email protected]