Intrusion Detection - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Intrusion Detection

Description:

NIPS Cuts Communication Between Bot & its Command-and-Control (C&C) Server using ... Other Rules Can be Used to Detect Credit Card Numbers using Regular Expressions ... – PowerPoint PPT presentation

Number of Views:111
Avg rating:3.0/5.0
Slides: 16
Provided by: sans4
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection


1
Intrusion Detection ResponseLeveraging
Next-Generation Firewalls
  • Ahmed Abdel-Aziz
  • November 2009
  • GIAC (GCIA, GCIH, GSNA, GCUX, GWAPT)
  • CISSP

2
Objective
  • 1) Describe Recent Threat Trends Security
    Statistics
  • 2) What are Next-Generation Firewalls (NGFWs)
  • 3) How to Leverage NGFWs in Intrusion Detection
  • NGFWs in Bot Detection Extrusion Detection
  • 4) How to Leverage NGFWs in Intrusion Response
  • NGFWs in Incident Handling, NAC, and Application
    Enforcement
  • 5) Important Planning Considerations

3
Threat Trends Security Statistics
Section 1 of 5
  • Bots Increasing - Trojan variants spiked 300
    from 2007 to 08 source McAfee Virtual
    Criminology Report, 2008
  • Compromise Discovery takes at least months, 65
    of the time
  • Responding to Compromise takes at least weeks,
    63 of the time
  • source Verizon Business, 2008 Data Breach
    Investigations Report
  • NGFWs Can Significantly Reduce Compromise
    Discovery (specifically Bot detection) Response
    Times.

4
NGFWs The Evolution
Section 2 of 5
  • NGFWs Incorporate Multiple Security Services
  • NGFWs Not a Solution to Every Problem (examples)
  • Use WAF for web application attacks (XSS, SQL
    Injection, etc.)
  • Use dedicated email security solution for
    advanced spam filtering
  • Firewalls Typically a Prevention Control NGFWs
    Can
  • Also Become a Detection Reactive Control
  • More Effective, Simpler, and Economical Security

5
NGFWs in Bot Detection
Section 3 of 5 (Intrusion Detection)
  • What Bots Do
  • Steal Sensitive Info
  • Send Spam, Act as Proxy
  • Execute DDOS Other Attacks
  • Bot Detection Techniques
  • (1) Detection by Using NIPS Component of NGFW
  • NIPS Blocks Attacks Originating from Internal
    Bots
  • NIPS Cuts Communication Between Bot its
    Command-and-Control (CC) Server using Known
    Traffic Signatures
  • (Popular Bots Only, Unencrypted Communication
    Only) ?

6
NGFWs in Bot Detection Continued
Section 3 of 5 (Intrusion Detection)
  • (2) Detection by Blocking Protocol Used in
    Command-and-Control (CC)
  • Stop Storm Bot Updates by Blocking eDonkey P2P
    Protocol
  • Configured in Fortinet Technology using a
    Protection Profile
  • (3) Detection by Logging Violations Audit Trail
  • Add Explicit Deny Rule at End of Firewall Policy
    for Logging
  • Tighten Outgoing Firewall Policy Too Not Just
    Incoming
  • Network Audit Trail for Traffic Flow Analysis
    Anomalies??
  • (Malware Can be Detected Without Antivirus,
    Interesting!!)

7
NGFWs in Bot Detection Continued
Section 3 of 5 (Intrusion Detection)
  • (4) Detection by Filtering Malicious Content in
    Traffic
  • Leverage Perimeter Antimalware, Antispam, URL
    Filtering
  • Configured in Fortinet Technology Using a
    Protection Profile
  • Use SSL Inspection for Network Encrypted
    Protocols HTTPS, SMTPS, POPS, IMAPS
  • (5) Detection Using DNS Based Techniques
  • High Number of MX DNS Requests From Non SMTP
    Server
  • Same DNS Request From Many Internal Hosts At Same
    Time
  • Very Small TTL Values in DNS Replies (FastFlux)
  • (Whats in Common? .. DNS Anomalous Traffic)

8
NGFWs in Extrusion Detection
Section 3 of 5 (Intrusion Detection)
  • Basic Data Leakage Prevention
  • Prevent Confidential Documents Leakage Through
    HTTP
  • Achieved by Defining Watermark Creating Custom
    IPS Rule
  • Sample Rule for Fortinet NGFW Below
  • config ips custom
  • edit DataLeakageThroughHTTP
  • set signature 'F-SBID(--name DLP --dst_port 80
    --flow bi-direction --default_action DROP
    --protocol tcp --pattern Organization
    Confidential X!kltsrodm(!sldrk4dk- )'
  • end
  • Other Rules Can be Used to Detect Credit Card
    Numbers using Regular Expressions

9
NGFWs in Incident Handling
Section 4 of 5 (Intrusion Response)
  • Security Incident Took Place While On-site
  • (Process Proved Effective in Responding to
    Spambot)
  • (1) Identification Phase Incident Handling
    Process
  • Users Suddenly Unable to Send Email to Any
    Destination
  • nslookup telnet to Send Email, SMTP Connection
    Rejected
  • Public IP Blacklisted as Spam Sender
  • Sudden Spike in Email Activity,
  • Spambot on the Network

10
NGFWs in Incident Handling Continued
Section 4 of 5 (Intrusion Response)
  • (2) Containment Phase Incident Handling Process
  • Block All Outgoing TCP/25 Except from Mail Server
  • Spambots on Network Unable to Send More Spam,
  • Damage Already Done (Public IP has been
    Blacklisted)
  • (3) Eradication Phase Incident Handling Process
  • Goal Remove Attackers Artifacts
  • Spambots Detected by Logging Violations to TCP/25
    Rule Configured in Containment ? 12 Spambots
    Detected!
  • Eradication Needs Time, Disconnect Bots, Move to
    Recovery

11
NGFWs in Incident Handling Continued
Section 4 of 5 (Intrusion Response)
  • (4) Recovery Phase Incident Handling Process
  • Action 1 (Change Mail Server Blacklisted Public
    IP)
  • In Fortinet Technology, Feature is Called IP
    Pools
  • Effect on Outgoing Mail Traffic Only, Otherwise
    DNS MX Record Must be Changed
  • Action 2 (Remove Public IP from Blacklists)
  • Get Blacklists from MXtoolbox.com Request
    Removal of IP
  • (5) Lessons Learned Phase Incident Handling
    Process
  • Duration from Identification to Recovery Only
    one Hour!!
  • Compare to Typical Intrusion Response Time of
    Weeks
  • Source Verizon Business, 2008 Data Breach
    Investigations Report

12
NGFWs in Network Access Control
Section 4 of 5 (Intrusion Response)
  • Pre-Admission Network Access Control in NGFW
  • Checks for Existing, Running Updated Endpoint
    Security Solution (Isolate Hosts with Compromised
    Endpoint Security Solution)
  • Pre-build Application White-list Enable
    On-Demand (Isolate Hosts with Unknown
    Applications Installed)
  • Post Admission Network Access Control in NGFW
  • Isolate Hosts that Originate Attacks Detected by
    NIPS
  • Isolate Virus Senders Detected by Antimalware
  • Isolate Hosts Violating Configured DLP Rules
  • Allows Very Fast Response Time (Self DOS
    Potential)

13
NGFWs in Application Enforcement
Section 4 of 5 (Intrusion Response)
  • Enforcing Application Use
  • Only Windows Firefox Allowed as a Web Browser
  • IPS ve Security Model Becomes ve Security Model
  • Achieved by Creating Custom IPS Rule on NGFW
  • Sample Rule for Fortinet NGFW Below
  • config ips custom
  • edit NotFirefoxBrowserOnWindows
  • set signature 'F-SBID(--name App Enforcement
    --service HTTP --default_action DROP --flow
    established --pattern GET --context header
    --pattern !User-Agent Mozilla/5.0 (Windows U
    Windows NT 5.1 en-us rv1.9.0.5)
    Gecko/2008120123 Firefox/3.0.5\r\n --context
    header )'
  • end

14
Important Planning Considerations
Section 5 of 5
  • Proper Product Selection Sizing Key to
    Performance
  • Research Underlying HW Technology SW
    Integration
  • Datasheet Figures not Enough, Check Independent
    Testing Lab Certification for Real-World
    Performance
  • Ex NSS Labs Report on the FortiGate 3810A
    NGFW States Sustained 270Mbps Throughput with
    all Security Services Enabled
  • Check Quality of Security Services Included in
    NGFW
  • (ICSA Labs Certification for IPS, Firewall,
    AntiMalware, etc)
  • Avoid Single Point of Failure by Clustering
  • Decide whether to Fail Open or Closed
  • (Balance Availability need with
    Confidentiality Integrity Need)

15
Summary
  • Statistics Demonstrate Improvement Needed in
    Current State of Intrusion Detection Response
  • NGFWs Can be Leveraged to Significantly Improve
    Intrusion Detection Response Times
  • Including Bot Intrusions
  • Planning Deployment Critical to Reap Rewards
  • Paper in SANS Reading Room Includes More Info
  • http//www.sans.org/reading_room/whitepapers/firew
    alls/intrusion_
  • detection_and_response_leveraging_next_generation_
    firewall_techn
  • ology_33053 or search on NGFW in SANS site
Write a Comment
User Comments (0)
About PowerShow.com