Defenses-guest
Download
Report
Transcript Defenses-guest
Common IS Threat Mitigation Strategies
An overview of common detection and protection technologies
Max Caceres
CORE Security
Technologies
www.coresecurity.com
Common IS Threat Mitigation Strategies: An overview of common detection
and protection technologies
AGENDA
Intro
Securing the Perimeter
Intrusion Detection
Intrusion Prevention
The New Perimeter
Q&A
A risk management approach to security
WHY MITIGATE?
Modern networks are complex systems
–
–
–
Each node has specific security characteristics
Nodes interact with each other
Subject to constant change (business driven)
Security as an emergent characteristic
Focus on risk
–
–
100% bulletproof is an utopian dream
As countermeasures and protection mechanisms evolve, attacks evolve too
Friends in, Foes out. Defining and securing the network perimeter
SECURING THE PERIMETER
Packet filters can control which packets are allowed to get through the firewall
and which are not
PACKET FILTERS
Packet filter
–
–
–
Rules based on individual packets
Real fast
Most popular routers incorporate this
functionality
Firewall
SYN | port 80
Stateful packet filter
–
–
–
Rules can refer to established
sessions or flows
Very fast
Most modern firewalls are stateful
SYN | ACK | ISN# 2222
ACK #2222 | port 80 | data
ACK #bbbb| data
Application layer firewalls provide a more granular control of networked
applications and services
APPLICATION LAYER FIREWALLS
Police traffic at the application layer
Pros
–
–
–
Rules refer to specific services
Can spot protocol deviations and abuses
Very granular control on protocol specifics (deny FTP anonymous login, disable
unused SMTP commands, block “ ‘ “ in HTTP form fields)
Cons
–
–
Resource intensive
Tough to keep up with app-layer protocols
HTTP
HTTP
HTTP
BLOCKED!
GET
GET
Response
/null.printer
/index.html
HTTP
HTTP
GET
Response
/index.html
Firewall
Dividing the network in different physical segments has many advantages
NETWORK SEGMENTATION
Assigning trust to network segments
Pros
–
–
–
Reduces “attack surface” at many levels
Contains or limits successful intrusions
Provides control and audit capabilities for internal traffic
Cons
–
–
Tough to configure and manage if the network is very dynamic
Strict performance requirements
A classic segmentation example: the DMZ
NETWORK SEGMENTATION (2)
Intrusion Detection Systems passively monitor the network’s operation for
attacks and anomalies
INTRUSION DETECTION
Monitor the network for security events
–
–
–
Forensics
–
Network audit trail
Internally deployed
–
Intrusion attempts
Successful attacks
Anomalies
Detect anomalies within the perimeter
Externally deployed
–
Measure threat (?)
There are many different IDS technologies being developed today
INTRUSION DETECTION STRATEGIES
Signature based
–
–
Anomaly
–
–
Sensor sits in monitored host
Network based
–
Watches for anomalies (not known attacks)
Self learned (adapts to the network) / Programmed (follows defined rules)
Host based
–
Watches for known attacks (signatures)
Can detect some well defined anomalies
Sensor sits on network
Hybrids
Each one of these technologies has limitations
INTRUSION DETECTION LIMITATIONS
Signature based
–
–
Anomaly
–
–
Cannot easily absorb change
Some attacks are hard to separate from legitimate traffic
Host based
–
–
Can only detect known attacks (sometimes only specific attack incarnations)
Must be constantly updated
Requires widespread deployment of sensor/agent (hard to manage / expensive)
Introduces complexity into end-systems
Network based
–
Vulnerable to differences in TCP/IP implementations
Intrusion Prevention generates and active response to intrusion events
INTRUSION PREVENTION
Responds actively to security events
–
–
–
Pros
–
–
Terminates network connections
Communicates with the firewall / switch to disconnect / block attacker
Terminates compromised process
Doesn’t require human attention (?)
Can preemptively block known intrusion attempts
Cons
–
–
–
Doesn’t require human attention (!)
Can block legitimate use
Can be turned into a DoS (remember spoofing)
Several different intrusion prevention strategies at the host level are being
developed
HOST IPS
Code injection protection / mitigation
–
–
–
Non executable stack (Sun Solaris)
Non writeable code segment, non executable everything else (OpenBSD, Linux
w/GR Security, Windows XP sp2 w/AMD64)
Address randomization (OpenBSD, GR Security)
Containment
–
–
–
Chroot jails (POSIX)
System call policing, systrace (OpenBSD, NetBSD)
Privilege separation (OpenBSD)
The concept of a network perimeter is coming to an end
THE NEW PERIMETER
Peer 2 Peer
HTTP tunneling
–
SSL
Instant messaging
Rich e-mail clients
Personal firewalls bring packet filtering to the workstation
PERSONAL FIREWALLS
Polices traffic coming in and going out the workstations
Adds the application dimension to the rules
Dynamically configurable
Starts to borrow capabilities from IPS
Q&A
Thank You!
Maximiliano Caceres | [email protected]
http://www.coresecurity.com