Title: Intrusion Detection
1Intrusion Detection ResponseLeveraging
Next-Generation Firewalls
- Ahmed Abdel-Aziz
- November 2009
- GIAC (GCIA, GCIH, GSNA, GCUX, GWAPT)
- CISSP
2Objective
- 1) Describe Recent Threat Trends Security
Statistics - 2) What are Next-Generation Firewalls (NGFWs)
- 3) How to Leverage NGFWs in Intrusion Detection
- NGFWs in Bot Detection Extrusion Detection
- 4) How to Leverage NGFWs in Intrusion Response
- NGFWs in Incident Handling, NAC, and Application
Enforcement - 5) Important Planning Considerations
3Threat Trends Security Statistics
Section 1 of 5
- Bots Increasing - Trojan variants spiked 300
from 2007 to 08 source McAfee Virtual
Criminology Report, 2008 - Compromise Discovery takes at least months, 65
of the time - Responding to Compromise takes at least weeks,
63 of the time - source Verizon Business, 2008 Data Breach
Investigations Report -
- NGFWs Can Significantly Reduce Compromise
Discovery (specifically Bot detection) Response
Times.
4NGFWs The Evolution
Section 2 of 5
- NGFWs Incorporate Multiple Security Services
- NGFWs Not a Solution to Every Problem (examples)
- Use WAF for web application attacks (XSS, SQL
Injection, etc.) - Use dedicated email security solution for
advanced spam filtering - Firewalls Typically a Prevention Control NGFWs
Can - Also Become a Detection Reactive Control
- More Effective, Simpler, and Economical Security
5NGFWs in Bot Detection
Section 3 of 5 (Intrusion Detection)
- What Bots Do
- Steal Sensitive Info
- Send Spam, Act as Proxy
- Execute DDOS Other Attacks
- Bot Detection Techniques
- (1) Detection by Using NIPS Component of NGFW
- NIPS Blocks Attacks Originating from Internal
Bots - NIPS Cuts Communication Between Bot its
Command-and-Control (CC) Server using Known
Traffic Signatures - (Popular Bots Only, Unencrypted Communication
Only) ?
6NGFWs in Bot Detection Continued
Section 3 of 5 (Intrusion Detection)
- (2) Detection by Blocking Protocol Used in
Command-and-Control (CC) - Stop Storm Bot Updates by Blocking eDonkey P2P
Protocol - Configured in Fortinet Technology using a
Protection Profile - (3) Detection by Logging Violations Audit Trail
- Add Explicit Deny Rule at End of Firewall Policy
for Logging - Tighten Outgoing Firewall Policy Too Not Just
Incoming - Network Audit Trail for Traffic Flow Analysis
Anomalies?? - (Malware Can be Detected Without Antivirus,
Interesting!!)
7NGFWs in Bot Detection Continued
Section 3 of 5 (Intrusion Detection)
- (4) Detection by Filtering Malicious Content in
Traffic - Leverage Perimeter Antimalware, Antispam, URL
Filtering - Configured in Fortinet Technology Using a
Protection Profile - Use SSL Inspection for Network Encrypted
Protocols HTTPS, SMTPS, POPS, IMAPS - (5) Detection Using DNS Based Techniques
- High Number of MX DNS Requests From Non SMTP
Server - Same DNS Request From Many Internal Hosts At Same
Time - Very Small TTL Values in DNS Replies (FastFlux)
- (Whats in Common? .. DNS Anomalous Traffic)
8NGFWs in Extrusion Detection
Section 3 of 5 (Intrusion Detection)
- Basic Data Leakage Prevention
- Prevent Confidential Documents Leakage Through
HTTP - Achieved by Defining Watermark Creating Custom
IPS Rule - Sample Rule for Fortinet NGFW Below
- config ips custom
- edit DataLeakageThroughHTTP
- set signature 'F-SBID(--name DLP --dst_port 80
--flow bi-direction --default_action DROP
--protocol tcp --pattern Organization
Confidential X!kltsrodm(!sldrk4dk- )' - end
- Other Rules Can be Used to Detect Credit Card
Numbers using Regular Expressions
9NGFWs in Incident Handling
Section 4 of 5 (Intrusion Response)
- Security Incident Took Place While On-site
- (Process Proved Effective in Responding to
Spambot) - (1) Identification Phase Incident Handling
Process - Users Suddenly Unable to Send Email to Any
Destination - nslookup telnet to Send Email, SMTP Connection
Rejected - Public IP Blacklisted as Spam Sender
- Sudden Spike in Email Activity,
- Spambot on the Network
10NGFWs in Incident Handling Continued
Section 4 of 5 (Intrusion Response)
- (2) Containment Phase Incident Handling Process
- Block All Outgoing TCP/25 Except from Mail Server
- Spambots on Network Unable to Send More Spam,
- Damage Already Done (Public IP has been
Blacklisted) - (3) Eradication Phase Incident Handling Process
- Goal Remove Attackers Artifacts
- Spambots Detected by Logging Violations to TCP/25
Rule Configured in Containment ? 12 Spambots
Detected! - Eradication Needs Time, Disconnect Bots, Move to
Recovery
11NGFWs in Incident Handling Continued
Section 4 of 5 (Intrusion Response)
- (4) Recovery Phase Incident Handling Process
- Action 1 (Change Mail Server Blacklisted Public
IP) - In Fortinet Technology, Feature is Called IP
Pools - Effect on Outgoing Mail Traffic Only, Otherwise
DNS MX Record Must be Changed - Action 2 (Remove Public IP from Blacklists)
- Get Blacklists from MXtoolbox.com Request
Removal of IP - (5) Lessons Learned Phase Incident Handling
Process - Duration from Identification to Recovery Only
one Hour!! - Compare to Typical Intrusion Response Time of
Weeks - Source Verizon Business, 2008 Data Breach
Investigations Report
12NGFWs in Network Access Control
Section 4 of 5 (Intrusion Response)
- Pre-Admission Network Access Control in NGFW
- Checks for Existing, Running Updated Endpoint
Security Solution (Isolate Hosts with Compromised
Endpoint Security Solution) - Pre-build Application White-list Enable
On-Demand (Isolate Hosts with Unknown
Applications Installed) - Post Admission Network Access Control in NGFW
- Isolate Hosts that Originate Attacks Detected by
NIPS - Isolate Virus Senders Detected by Antimalware
- Isolate Hosts Violating Configured DLP Rules
- Allows Very Fast Response Time (Self DOS
Potential)
13NGFWs in Application Enforcement
Section 4 of 5 (Intrusion Response)
- Enforcing Application Use
- Only Windows Firefox Allowed as a Web Browser
- IPS ve Security Model Becomes ve Security Model
- Achieved by Creating Custom IPS Rule on NGFW
- Sample Rule for Fortinet NGFW Below
- config ips custom
- edit NotFirefoxBrowserOnWindows
- set signature 'F-SBID(--name App Enforcement
--service HTTP --default_action DROP --flow
established --pattern GET --context header
--pattern !User-Agent Mozilla/5.0 (Windows U
Windows NT 5.1 en-us rv1.9.0.5)
Gecko/2008120123 Firefox/3.0.5\r\n --context
header )' - end
14Important Planning Considerations
Section 5 of 5
- Proper Product Selection Sizing Key to
Performance - Research Underlying HW Technology SW
Integration - Datasheet Figures not Enough, Check Independent
Testing Lab Certification for Real-World
Performance - Ex NSS Labs Report on the FortiGate 3810A
NGFW States Sustained 270Mbps Throughput with
all Security Services Enabled - Check Quality of Security Services Included in
NGFW - (ICSA Labs Certification for IPS, Firewall,
AntiMalware, etc) - Avoid Single Point of Failure by Clustering
- Decide whether to Fail Open or Closed
- (Balance Availability need with
Confidentiality Integrity Need)
15Summary
- Statistics Demonstrate Improvement Needed in
Current State of Intrusion Detection Response - NGFWs Can be Leveraged to Significantly Improve
Intrusion Detection Response Times - Including Bot Intrusions
- Planning Deployment Critical to Reap Rewards
- Paper in SANS Reading Room Includes More Info
- http//www.sans.org/reading_room/whitepapers/firew
alls/intrusion_ - detection_and_response_leveraging_next_generation_
firewall_techn - ology_33053 or search on NGFW in SANS site