14 ids ips firewalls
Post on 16-Feb-2018
227 Views
Preview:
TRANSCRIPT
-
7/23/2019 14 IDS IPS Firewalls
1/52
Eng. Hector M Lugo-Cordero, MSEng. Hector M Lugo-Cordero, MS
April 2012April 2012
Intrusion Detection, Firewalls, andIntrusion Detection, Firewalls, and
Intrusion PreventionIntrusion Prevention
CIS 4361CIS 4361
-
7/23/2019 14 IDS IPS Firewalls
2/52
Most Slides are FromMost Slides are From
Computer Security:Computer Security:Principles and PracticePrinciples and Practice
Firt EditionFirt Edition!" #illi$% St$lling $nd L$&rie 'ro&n!" #illi$% St$lling $nd L$&rie 'ro&n
Lecture lide !" L$&rie 'ro&nLecture lide !" L$&rie 'ro&n
Chapter 6 Chapter 6
Intrusion DetectionIntrusion Detection
-
7/23/2019 14 IDS IPS Firewalls
3/52
IntrudersIntruders
igni(ic$nt iue )otile*un&$nted trep$igni(ic$nt iue )otile*un&$nted trep$ (ro% !enign to eriou(ro% !enign to eriou
uer trep$uer trep$ un$ut)ori+ed logon, priilege $!ueun$ut)ori+ed logon, priilege $!ue
o(t&$re trep$o(t&$re trep$
iru, &or%, or tro$n )oreiru, &or%, or tro$n )ore cl$e o( intrudercl$e o( intruder
%$/uer$der, %i(e$or, cl$ndetine uer%$/uer$der, %i(e$or, cl$ndetine uer
-
7/23/2019 14 IDS IPS Firewalls
4/52
Eamples o! IntrusionEamples o! Intrusion
re%ote root co%pro%iere%ote root co%pro%ie &e! erer de($ce%ent&e! erer de($ce%ent gueing * cr$cing p$&ordgueing * cr$cing p$&ord cop"ing ie&ing enitie d$t$ * d$t$!$ecop"ing ie&ing enitie d$t$ * d$t$!$e running $ p$cet ni((errunning $ p$cet ni((er ditri!uting pir$ted o(t&$reditri!uting pir$ted o(t&$re
uing $n unecured %ode% to $cce netuing $n unecured %ode% to $cce net i%peron$ting $ uer to reet p$&ordi%peron$ting $ uer to reet p$&ord uing $n un$ttended &ort$tionuing $n un$ttended &ort$tion
-
7/23/2019 14 IDS IPS Firewalls
5/52
Security Intrusion " DetectionSecurity Intrusion " Detection
Security IntrusionSecurity Intrusion
$ ecurit" eent, or co%!in$tion o( %ultiple ecurit"$ ecurit" eent, or co%!in$tion o( %ultiple ecurit"
eent, t)$t contitute $ ecurit" incident in &)ic) $neent, t)$t contitute $ ecurit" incident in &)ic) $n
intruder g$in, or $tte%pt to g$in, $cce to $intruder g$in, or $tte%pt to g$in, $cce to $
"te% or "te% reource &it)out )$ing"te% or "te% reource &it)out )$ing$ut)ori+$tion to do o.$ut)ori+$tion to do o.
Intrusion DetectionIntrusion Detection
$ ecurit" erice t)$t %onitor $nd $n$l"+e "te%$ ecurit" erice t)$t %onitor $nd $n$l"+e "te%
eent (or t)e purpoe o( (inding, $nd proiding re$l-eent (or t)e purpoe o( (inding, $nd proiding re$l-
ti%e or ne$r re$l-ti%e &$rning o( $tte%pt to $cceti%e or ne$r re$l-ti%e &$rning o( $tte%pt to $cce
"te% reource in $n un$ut)ori+ed %$nner."te% reource in $n un$ut)ori+ed %$nner.
-
7/23/2019 14 IDS IPS Firewalls
6/52
Intrusion #echni$uesIntrusion #echni$ues
objective to gain access or increase privilegesobjective to gain access or increase privileges
initial attacks often exploit system or softwareinitial attacks often exploit system or software
vulnerabilities to execute code to get backdoorvulnerabilities to execute code to get backdoor e.g. !u((er oer(lo&e.g. !u((er oer(lo&
or to g$in protected in(or%$tionor to g$in protected in(or%$tion
e.g. p$&orde.g. p$&ord guessing or acquisitionguessing or acquisition
-
7/23/2019 14 IDS IPS Firewalls
7/52
%ac&ers%ac&ers
%oti$ted !" t)rill o( $cce $nd t$tu%oti$ted !" t)rill o( $cce $nd t$tu )$cing co%%unit" $ trong %eritocr$c")$cing co%%unit" $ trong %eritocr$c"
t$tu i deter%ined !" leel o( co%petencet$tu i deter%ined !" leel o( co%petence
!enign intruder %ig)t !e toler$!le!enign intruder %ig)t !e toler$!le do conu%e reource $nd %$" lo& per(or%$ncedo conu%e reource $nd %$" lo& per(or%$nce
c$nt no& in $d$nce &)et)er !enign or %$lignc$nt no& in $d$nce &)et)er !enign or %$lign
IS * I5S * 57 c$n )elp counterIS * I5S * 57 c$n )elp counter
$&$rene led to et$!li)%ent o( CE89$&$rene led to et$!li)%ent o( CE89 collect * die%in$te ulner$!ilit" in(o * reponecollect * die%in$te ulner$!ilit" in(o * repone
-
7/23/2019 14 IDS IPS Firewalls
8/52
%ac&er 'ehavior Eample%ac&er 'ehavior Eample
1.1. select target using IP lookup toolsselect target using IP lookup tools
2.2. map network for accessible servicesmap network for accessible services
3.3. identify potentially vulnerable servicesidentify potentially vulnerable services4.4. brute force (guess) passwordsbrute force (guess) passwords
5.5. install remote administration toolinstall remote administration tool
6.6. wait for admin to log on and capturewait for admin to log on and capturepasswordpassword
7.7. use password to access remainder ofuse password to access remainder ofnetworknetwork
-
7/23/2019 14 IDS IPS Firewalls
9/52
Criminal EnterpriseCriminal Enterprise
org$ni+edorg$ni+ed groups of hackers now a threatgroups of hackers now a threat corporation / government / loosely affiliated gangscorporation / government / loosely affiliated gangs typically youngtypically young
often Eastern European or Russian hackersoften Eastern European or Russian hackers common target credit cards on e-commerce servercommon target credit cards on e-commerce server
criminal hackers usually have specific targetscriminal hackers usually have specific targets
once penetrated act quickly and get outonce penetrated act quickly and get out
IS * I5S )elp !ut le e((ectieIS * I5S )elp !ut le e((ectie sensitive data needs strong protectionsensitive data needs strong protection
-
7/23/2019 14 IDS IPS Firewalls
10/52
Criminal Enterprise 'ehaviorCriminal Enterprise 'ehavior
1.1. act quickly and precisely to make theiract quickly and precisely to make their
activities harder to detectactivities harder to detect
2.2. exploit perimeter via vulnerable portsexploit perimeter via vulnerable ports3.3. use trojan horses (hidden software) touse trojan horses (hidden software) to
leave back doors for re-entryleave back doors for re-entry
4.4. use sniffers to capture passwordsuse sniffers to capture passwords5.5. do not stick around until noticeddo not stick around until noticed
6.6. make few or no mistakes.make few or no mistakes.
-
7/23/2019 14 IDS IPS Firewalls
11/52
Insider (ttac&sInsider (ttac&s
$%ong %ot di((icult to detect $nd preent$%ong %ot di((icult to detect $nd preent
e%plo"ee )$e $cce : "te% no&ledgee%plo"ee )$e $cce : "te% no&ledge
%$" !e %oti$ted !" reenge * entitle%ent%$" !e %oti$ted !" reenge * entitle%ent &)en e%plo"%ent ter%in$ted&)en e%plo"%ent ter%in$ted
t$ing cuto%er d$t$ &)en %oe to co%petitort$ing cuto%er d$t$ &)en %oe to co%petitor
IS * I5S %$" )elp !ut $lo needIS * I5S %$" )elp !ut $lo need
le$t priilege, %onitor log, trong $ut)entic$tion,le$t priilege, %onitor log, trong $ut)entic$tion,ter%in$tion proce to !loc $cce : %irror d$t$ter%in$tion proce to !loc $cce : %irror d$t$
-
7/23/2019 14 IDS IPS Firewalls
12/52
Insider 'ehavior EampleInsider 'ehavior Eample
1.1. create network accounts for themselves andcreate network accounts for themselves andtheir friendstheir friends
2.2. access accounts and applications they wouldn'taccess accounts and applications they wouldn't
normally use for their daily jobsnormally use for their daily jobs3.3. e-mail former and prospective employerse-mail former and prospective employers
4.4. conduct furtive instant-messaging chatsconduct furtive instant-messaging chats
5.5. visit web sites that cater to disgruntledvisit web sites that cater to disgruntledemployees, such as f'dcompany.comemployees, such as f'dcompany.com
6.6. perform large downloads and file copyingperform large downloads and file copying
7.7. access the network during off hours.access the network during off hours.
-
7/23/2019 14 IDS IPS Firewalls
13/52
Intrusion Detection SystemsIntrusion Detection Systems
classify intrusion detection systems (IDSs) as:classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host activityHost-based IDS: monitor single host activity
Network-based IDS: monitor network trafficNetwork-based IDS: monitor network traffic logical components:logical components:
sensors - collect datasensors - collect data
analyzers - determine if intrusion has occurredanalyzers - determine if intrusion has occurred user interface - manage / direct / view IDSuser interface - manage / direct / view IDS
-
7/23/2019 14 IDS IPS Firewalls
14/52
IDS PrinciplesIDS Principles
$u%e intruder !e)$ior di((er (ro%$u%e intruder !e)$ior di((er (ro%
legiti%$te uerlegiti%$te uer e;pect oerl$p $ )opect oerl$p $ )o&n
o!ere dei$tiono!ere dei$tion
(ro% p$t )itor"(ro% p$t )itor"
pro!le% o(pro!le% o(
< ($le poitie($le poitie
< ($le neg$tie($le neg$tie
< %ut co%pro%ie%ut co%pro%ie
-
7/23/2019 14 IDS IPS Firewalls
15/52
IDS )e$uirementsIDS )e$uirements
run continu$ll"run continu$ll" !e ($ult toler$nt!e ($ult toler$nt reit u!erionreit u!erion i%poe $ %ini%$l oer)e$d on "te%i%poe $ %ini%$l oer)e$d on "te% con(igured $ccording to "te% ecurit" policiecon(igured $ccording to "te% ecurit" policie $d$pt to c)$nge in "te% $nd uer$d$pt to c)$nge in "te% $nd uer
c$le to %onitor l$rge nu%!er o( "te%c$le to %onitor l$rge nu%!er o( "te% proide gr$ce(ul degr$d$tion o( ericeproide gr$ce(ul degr$d$tion o( erice $llo& d"n$%ic recon(igur$tion$llo& d"n$%ic recon(igur$tion
-
7/23/2019 14 IDS IPS Firewalls
16/52
%ost*'ased IDS%ost*'ased IDS
peci$li+ed o(t&$re to %onitor "te% $ctiit" topeci$li+ed o(t&$re to %onitor "te% $ctiit" to
detect upiciou !e)$iordetect upiciou !e)$ior primary purpose is to detect intrusions, log suspiciousprimary purpose is to detect intrusions, log suspicious
events, and send alertsevents, and send alerts can detect both external and internal intrusionscan detect both external and internal intrusions
two approaches, often used in combination:two approaches, often used in combination: anomaly detection - defines normal/expected behavioranomaly detection - defines normal/expected behavior
threshold detectionthreshold detection
profile basedprofile based
signature detection - defines proper behaviorsignature detection - defines proper behavior
-
7/23/2019 14 IDS IPS Firewalls
17/52
(udit )ecords(udit )ecords
$ (und$%ent$l tool (or intruion detection$ (und$%ent$l tool (or intruion detection
t&o $ri$ntt&o $ri$nt
n$tie $udit record - proided !" =*Sn$tie $udit record - proided !" =*S< $l&$" $$il$!le !ut %$" not !e opti%u%$l&$" $$il$!le !ut %$" not !e opti%u%
detection-peci(ic $udit record - IS peci(icdetection-peci(ic $udit record - IS peci(ic
< $ddition$l oer)e$d !ut peci(ic to IS t$$ddition$l oer)e$d !ut peci(ic to IS t$
< o(ten log indiidu$l ele%ent$r" $ctiono(ten log indiidu$l ele%ent$r" $ction
< e.g. %$" cont$in (ield (or u!ect, $ction, o!ect,e.g. %$" cont$in (ield (or u!ect, $ction, o!ect,
e;ception-condition, reource-u$ge, ti%e-t$%pe;ception-condition, reource-u$ge, ti%e-t$%p
-
7/23/2019 14 IDS IPS Firewalls
18/52
Eample o! (uditEample o! (udit
Conider cop".e;e g$%e.e;eConider cop".e;e g$%e.e;e
>"te%?*g$%e.e;e>"te%?*g$%e.e;e
Seer$l record %$" !e gener$ted (or $Seer$l record %$" !e gener$ted (or $ingle co%%$ndingle co%%$nd
1.1. E;ecute cop".e;eE;ecute cop".e;e
2.2. 8e$d g$%e.e;e8e$d g$%e.e;e
3.3. #rite >"te%?*g$%e.e;e#rite >"te%?*g$%e.e;e
-
7/23/2019 14 IDS IPS Firewalls
19/52
(nomaly Detection(nomaly Detection
t)re)old detectiont)re)old detection c)ec e;ceie eent occurrence oer ti%ec)ec e;ceie eent occurrence oer ti%e
$lone $ crude $nd ine((ectie intruder detector$lone $ crude $nd ine((ectie intruder detector
%ut deter%ine !ot) t)re)old $nd ti%e inter$l%ut deter%ine !ot) t)re)old $nd ti%e inter$l pro(ile !$edpro(ile !$ed
c)$r$cteri+e p$t !e)$ior o( uer * groupc)$r$cteri+e p$t !e)$ior o( uer * group
t)en detect igni(ic$nt dei$tiont)en detect igni(ic$nt dei$tion
!$ed on $n$l"i o( $udit record!$ed on $n$l"i o( $udit record
< g$t)er %etric counter, gu$ge, inter$l ti%er, reource utili+$tiong$t)er %etric counter, gu$ge, inter$l ti%er, reource utili+$tion
< $n$l"+e %e$n $nd t$nd$rd dei$tion, %ulti$ri$te, %$ro$n$l"+e %e$n $nd t$nd$rd dei$tion, %ulti$ri$te, %$ro
proce, ti%e erie, oper$tion$l %odelproce, ti%e erie, oper$tion$l %odel
-
7/23/2019 14 IDS IPS Firewalls
20/52
Eamples o! (nomalyEamples o! (nomaly
-
7/23/2019 14 IDS IPS Firewalls
21/52
Eamples o! (nomalyEamples o! (nomaly
-
7/23/2019 14 IDS IPS Firewalls
22/52
Si+nature DetectionSi+nature Detection
o!ere eent on "te% $nd $ppl"ing $o!ere eent on "te% $nd $ppl"ing $
et o( rule to decide i( intruderet o( rule to decide i( intruder
$ppro$c)e$ppro$c)e rule-!$ed $no%$l" detectionrule-!$ed $no%$l" detection
< $n$l"+e )itoric$l $udit record (or e;pected$n$l"+e )itoric$l $udit record (or e;pected
!e)$ior, t)en %$tc) &it) current !e)$ior!e)$ior, t)en %$tc) &it) current !e)$ior
rule-!$ed penetr$tion identi(ic$tionrule-!$ed penetr$tion identi(ic$tion< rule identi(" no&n penetr$tion * &e$neerule identi(" no&n penetr$tion * &e$nee
< o(ten !" $n$l"+ing $tt$c cript (ro% Interneto(ten !" $n$l"+ing $tt$c cript (ro% Internet
< upple%ented &it) rule (ro% ecurit" e;pertupple%ented &it) rule (ro% ecurit" e;pert
-
7/23/2019 14 IDS IPS Firewalls
23/52
Eample o! Si+naturesEample o! Si+natures
@er )ould not re$d (ile in ot)er uer@er )ould not re$d (ile in ot)er uerperon$l directorieperon$l directorie
@er %ut not &rite ot)er uer (ile@er %ut not &rite ot)er uer (ile
@er &)o log in $(ter )our o(ten $cce t)e@er &)o log in $(ter )our o(ten $cce t)e$%e (ile t)e" uer e$rlier$%e (ile t)e" uer e$rlier
@er do not gener$ll" open di deice !ut@er do not gener$ll" open di deice !utrel" on )ig)er-leel oper$ting "te% utilitierel" on )ig)er-leel oper$ting "te% utilitie
@er )ould not !e logged in %ore t)$n once to@er )ould not !e logged in %ore t)$n once tot)e "te%t)e "te%
@er do not %$e copie o( "te% progr$%@er do not %$e copie o( "te% progr$%
-
7/23/2019 14 IDS IPS Firewalls
24/52
Distriuted %ost*'ased IDSDistriuted %ost*'ased IDS
-
7/23/2019 14 IDS IPS Firewalls
25/52
Distriuted %ost*'ased IDSDistriuted %ost*'ased IDS
-
7/23/2019 14 IDS IPS Firewalls
26/52
-etwor&*'ased IDS-etwor&*'ased IDS
net&or-!$ed IS 7ISnet&or-!$ed IS 7IS %onitor tr$((ic $t elected point on $ net&or%onitor tr$((ic $t elected point on $ net&or in ne$r re$l ti%e to detect intruion p$tternin ne$r re$l ti%e to detect intruion p$ttern %$" e;$%ine net&or, tr$nport $nd*or%$" e;$%ine net&or, tr$nport $nd*or
$pplic$tion leel protocol $ctiit" directed$pplic$tion leel protocol $ctiit" directedto&$rd "te%to&$rd "te%
co%prie $ nu%!er o( enorco%prie $ nu%!er o( enor inline poi!l" $ p$rt o( ot)er net deiceinline poi!l" $ p$rt o( ot)er net deice p$ie %onitor cop" o( tr$((icp$ie %onitor cop" o( tr$((ic
-
7/23/2019 14 IDS IPS Firewalls
27/52
-IDS Sensor Deployment-IDS Sensor Deployment
-
7/23/2019 14 IDS IPS Firewalls
28/52
Intrusion Detection #echni$uesIntrusion Detection #echni$ues
ign$ture detectionign$ture detection $t $pplic$tion, tr$nport, net&or l$"er$t $pplic$tion, tr$nport, net&or l$"er
une;pected $pplic$tion erice, polic" iol$tionune;pected $pplic$tion erice, polic" iol$tion
$no%$l" detection$no%$l" detection o( deni$l o( erice $tt$c, c$nning, &or%o( deni$l o( erice $tt$c, c$nning, &or%
&)en potenti$l iol$tion detected enor&)en potenti$l iol$tion detected enor
end $n $lert $nd log in(or%$tionend $n $lert $nd log in(or%$tion ued !" $n$l"i %odule to re(ine intruionued !" $n$l"i %odule to re(ine intruion
detection p$r$%eter $nd $lgorit)%detection p$r$%eter $nd $lgorit)%
!" ecurit" $d%in to i%proe protection!" ecurit" $d%in to i%proe protection
-
7/23/2019 14 IDS IPS Firewalls
29/52
Distriuted (daptive IntrusionDistriuted (daptive Intrusion
DetectionDetection
-
7/23/2019 14 IDS IPS Firewalls
30/52
IntrusionIntrusion
DetectionDetection
Echan+eEchan+eFormatFormat
-
7/23/2019 14 IDS IPS Firewalls
31/52
%oneypots%oneypots
$re deco" "te%$re deco" "te% (illed &it) ($!ric$ted in(o(illed &it) ($!ric$ted in(o
intru%ented &it) %onitor * eent loggerintru%ented &it) %onitor * eent logger
diert $nd )old $tt$cer to collect $ctiit" in(odiert $nd )old $tt$cer to collect $ctiit" in(o
&it)out e;poing production "te%&it)out e;poing production "te%
initi$ll" &ere ingle "te%initi$ll" &ere ingle "te%%ore recentl" $re*e%ul$te entire net&or%ore recentl" $re*e%ul$te entire net&or
-
7/23/2019 14 IDS IPS Firewalls
32/52
%oneypot%oneypot
DeploymentDeployment
-
7/23/2019 14 IDS IPS Firewalls
33/52
S-.)#S-.)#
lig)t&eig)t ISlig)t&eig)t IS re$l-ti%e p$cet c$pture $nd rule $n$l"ire$l-ti%e p$cet c$pture $nd rule $n$l"i
p$ie or inlinep$ie or inline
-
7/23/2019 14 IDS IPS Firewalls
34/52
S-.)# )ulesS-.)# )ules
use a simple, flexible rule definition languageuse a simple, flexible rule definition language
with fixed header and zero or more optionswith fixed header and zero or more options
header includes: action, protocol, source IP, sourceheader includes: action, protocol, source IP, source
port, direction, dest IP, dest portport, direction, dest IP, dest port
many optionsmany options
example rule to detect !P "#$-%I$ attac&:example rule to detect !P "#$-%I$ attac&:
Alert tcp $EXTERNAL_NET any -> $HOME_NET any \Alert tcp $EXTERNAL_NET any -> $HOME_NET any \(msg: "SCAN SYN FIN"; flags: SF, 12; \(msg: "SCAN SYN FIN"; flags: SF, 12; \
reference: arachnids, 198; classtype: attempted-recon;)reference: arachnids, 198; classtype: attempted-recon;)
-
7/23/2019 14 IDS IPS Firewalls
35/52
SummarySummary
introduced intruder : intruion detectionintroduced intruder : intruion detection )$cer, cri%in$l, inider)$cer, cri%in$l, inider
intruion detection $ppro$c)eintruion detection $ppro$c)e )ot-!$ed ingle $nd ditri!uted)ot-!$ed ingle $nd ditri!uted
net&ornet&or
ditri!uted $d$ptieditri!uted $d$ptie
e;c)$nge (or%$te;c)$nge (or%$t )one"pot)one"pot
S7=89 e;$%pleS7=89 e;$%ple
-
7/23/2019 14 IDS IPS Firewalls
36/52
Most Slides are FromMost Slides are From
Computer Security:Computer Security:Principles and PracticePrinciples and Practice
Firt EditionFirt Edition
!" #illi$% St$lling $nd L$&rie 'ro&n!" #illi$% St$lling $nd L$&rie 'ro&n
Lecture lide !" L$&rie 'ro&nLecture lide !" L$&rie 'ro&n
Chapter / Chapter / Firewalls and IntrusionFirewalls and IntrusionPrevention SystemsPrevention Systems
-
7/23/2019 14 IDS IPS Firewalls
37/52
Firewall Capailities " 0imitsFirewall Capailities " 0imits
c$p$!ilitiec$p$!ilitie de(ine $ ingle c)oe pointde(ine $ ingle c)oe point proide $ loc$tion (or %onitoring ecurit" eentproide $ loc$tion (or %onitoring ecurit" eent
conenient pl$t(or% (or o%e Internet (unction uc)conenient pl$t(or% (or o%e Internet (unction uc)$ 7A9, u$ge %onitoring, I5SEC 57$ 7A9, u$ge %onitoring, I5SEC 57
li%it$tionli%it$tion c$nnot protect $g$int $tt$c !"p$ing (ire&$llc$nnot protect $g$int $tt$c !"p$ing (ire&$ll
%$" not protect (ull" $g$int intern$l t)re$t%$" not protect (ull" $g$int intern$l t)re$t i%properl" ecure &irele LA7i%properl" ecure &irele LA7 l$ptop, 5A, port$!le tor$ge deice in(ected outidel$ptop, 5A, port$!le tor$ge deice in(ected outide
t)en ued inidet)en ued inide
-
7/23/2019 14 IDS IPS Firewalls
38/52
#ypes o!#ypes o!
FirewallsFirewalls
-
7/23/2019 14 IDS IPS Firewalls
39/52
Pac&et Filterin+ FirewallPac&et Filterin+ Firewall
$pplie rule to p$cet in*out o( (ire&$ll$pplie rule to p$cet in*out o( (ire&$ll !$ed on in(or%$tion in p$cet )e$der!$ed on in(or%$tion in p$cet )e$der
rc*det I5 $ddr : port, I5 protocol, inter($cerc*det I5 $ddr : port, I5 protocol, inter($ce
t"pic$ll" $ lit o( rule o( %$tc)e on (ieldt"pic$ll" $ lit o( rule o( %$tc)e on (ield i( %$tc) rule $" i( (or&$rd or dic$rd p$ceti( %$tc) rule $" i( (or&$rd or dic$rd p$cet
t&o de($ult policiet&o de($ult policie dic$rd - pro)i!it unle e;prel" per%itteddic$rd - pro)i!it unle e;prel" per%itted
< %ore coner$tie, controlled, ii!le to uer%ore coner$tie, controlled, ii!le to uer
(or&$rd - per%it unle e;prel" pro)i!ited(or&$rd - per%it unle e;prel" pro)i!ited
< e$ier to %$n$ge*ue !ut le ecuree$ier to %$n$ge*ue !ut le ecure
-
7/23/2019 14 IDS IPS Firewalls
40/52
Pac&etPac&et
FilterFilter
)ules)ules
-
7/23/2019 14 IDS IPS Firewalls
41/52
Pac&et Filter 1ea&nessesPac&et Filter 1ea&nesses
&e$nee&e$nee c$nnot preent $tt$c on $pplic$tion !ugc$nnot preent $tt$c on $pplic$tion !ug
li%ited logging (unction$lit"li%ited logging (unction$lit"
do no upport $d$nced uer $ut)entic$tiondo no upport $d$nced uer $ut)entic$tion
ulner$!le to $tt$c on 9C5*I5 protocol !ugulner$!le to $tt$c on 9C5*I5 protocol !ug
i%proper con(igur$tion c$n le$d to !re$c)ei%proper con(igur$tion c$n le$d to !re$c)e
$tt$c$tt$c I5 $ddre poo(ing, ource route $tt$c, tin"I5 $ddre poo(ing, ource route $tt$c, tin"
(r$g%ent $tt$c(r$g%ent $tt$c
-
7/23/2019 14 IDS IPS Firewalls
42/52
State!ul Inspection FirewallState!ul Inspection Firewall
reie& p$cet )e$der in(or%$tion !ut $loreie& p$cet )e$der in(or%$tion !ut $lo
eep in(o on 9C5 connectioneep in(o on 9C5 connection t"pic$ll" )$e lo&, Bno&n port no (or erert"pic$ll" )$e lo&, Bno&n port no (or erer
$nd )ig), d"n$%ic$ll" $igned client port no$nd )ig), d"n$%ic$ll" $igned client port no i%ple p$cet (ilter %ut $llo& $ll return )ig) porti%ple p$cet (ilter %ut $llo& $ll return )ig) port
nu%!ered p$cet !$c innu%!ered p$cet !$c in
t$te(ul inpection p$cet (ire&$ll tig)ten rule (ort$te(ul inpection p$cet (ire&$ll tig)ten rule (or
9C5 tr$((ic uing $ director" o( 9C5 connection9C5 tr$((ic uing $ director" o( 9C5 connection onl" $llo& inco%ing tr$((ic to )ig)-nu%!ered port (oronl" $llo& inco%ing tr$((ic to )ig)-nu%!ered port (or
p$cet %$tc)ing $n entr" in t)i director"p$cet %$tc)ing $n entr" in t)i director"
%$" $lo tr$c 9C5 e/ nu%!er $ &ell%$" $lo tr$c 9C5 e/ nu%!er $ &ell
-
7/23/2019 14 IDS IPS Firewalls
43/52
(pplication*0evel 2ateway(pplication*0evel 2ateway
$ct $ $ rel$" o( $pplic$tion-leel tr$((ic$ct $ $ rel$" o( $pplic$tion-leel tr$((ic uer cont$ct g$te&$" &it) re%ote )ot n$%euer cont$ct g$te&$" &it) re%ote )ot n$%e $ut)entic$te t)e%ele$ut)entic$te t)e%ele g$te&$" cont$ct $pplic$tion on re%ote )otg$te&$" cont$ct $pplic$tion on re%ote )ot
$nd rel$" 9C5 eg%ent !et&een erer $nd$nd rel$" 9C5 eg%ent !et&een erer $ndueruer
%ut )$e pro;" code (or e$c) $pplic$tion%ut )$e pro;" code (or e$c) $pplic$tion %$" retrict $pplic$tion (e$ture upported%$" retrict $pplic$tion (e$ture upported
%ore ecure t)$n p$cet (ilter%ore ecure t)$n p$cet (ilter !ut )$e )ig)er oer)e$d!ut )$e )ig)er oer)e$d
-
7/23/2019 14 IDS IPS Firewalls
44/52
Circuit*0evel 2atewayCircuit*0evel 2ateway
et up t&o 9C5 connection, to $n inideet up t&o 9C5 connection, to $n inideuer $nd to $n outide )otuer $nd to $n outide )ot
rel$" 9C5 eg%ent (ro% one connectionrel$" 9C5 eg%ent (ro% one connection
to t)e ot)er &it)out e;$%ining contentto t)e ot)er &it)out e;$%ining content )ence independent o( $pplic$tion logic)ence independent o( $pplic$tion logicut deter%ine &)et)er rel$" i per%ittedut deter%ine &)et)er rel$" i per%itted
t"pic$ll" ued &)en inide uer trutedt"pic$ll" ued &)en inide uer truted %$" ue $pplic$tion-leel g$te&$" in!ound%$" ue $pplic$tion-leel g$te&$" in!ound
$nd circuit-leel g$te&$" out!ound$nd circuit-leel g$te&$" out!ound )ence lo&er oer)e$d)ence lo&er oer)e$d
-
7/23/2019 14 IDS IPS Firewalls
45/52
Eamples o! FirewallsEamples o! Firewalls
#indo& e(ender Applic$tion leel#indo& e(ender Applic$tion leel
I5 9$!le 5$cet leelI5 9$!le 5$cet leel
S=CDS circuit-leelS=CDS circuit-leelMAC =S peron$l (ire&$llMAC =S peron$l (ire&$ll
S7=89S7=89
-
7/23/2019 14 IDS IPS Firewalls
46/52
Eample Connection StateEample Connection State
Co%%on to )$e $long &it) 7et&orCo%%on to )$e $long &it) 7et&or
Addre 9r$nl$tion $nd 5ort AddreAddre 9r$nl$tion $nd 5ort Addre
9r$nl$tion 7A9 $nd 5A99r$nl$tion 7A9 $nd 5A9
SrcAddrSrcAddr Src5ortSrc5ort etAddretAddret5ortet5ort St$tuSt$tu
St$tu %$" !e et$!li)ed, e;pired, ended,St$tu %$" !e et$!li)ed, e;pired, ended,etc.etc.
-
7/23/2019 14 IDS IPS Firewalls
47/52
DistriutedDistriuted
FirewallsFirewalls
-
7/23/2019 14 IDS IPS Firewalls
48/52
Intrusion Prevention SystemsIntrusion Prevention Systems
3IPS43IPS4 recent $ddition to ecurit" product &)ic)recent $ddition to ecurit" product &)ic)
inline net*)ot-!$ed IS t)$t c$n !loc tr$((icinline net*)ot-!$ed IS t)$t c$n !loc tr$((ic
(unction$l $ddition to (ire&$ll t)$t $dd IS(unction$l $ddition to (ire&$ll t)$t $dd IS
c$p$!ilitiec$p$!ilitie
c$n !loc tr$((ic lie $ (ire&$llc$n !loc tr$((ic lie $ (ire&$ll
uing IS $lgorit)%uing IS $lgorit)%%$" !e net&or or )ot !$ed%$" !e net&or or )ot !$ed
-
7/23/2019 14 IDS IPS Firewalls
49/52
%ost*'ased IPS%ost*'ased IPS
identifies attac&sidentifies attac&suinguingboth:both: signature techni'uessignature techni'ues
malicious application pac&etsmalicious application pac&ets
anomaly detection techni'uesanomaly detection techni'ues behavior patterns that indicate malwarebehavior patterns that indicate malware
can be tailored to the specific platformcan be tailored to the specific platform
e(g( general purpose, web/database server specifice(g( general purpose, web/database server specific can also sandbox applets to monitor behaviorcan also sandbox applets to monitor behavior
may give des&top file, registry, I/) protectionmay give des&top file, registry, I/) protection
-
7/23/2019 14 IDS IPS Firewalls
50/52
-etwor&*'ased IPS-etwor&*'ased IPS
inline 7IS t)$t c$n dic$rd p$cet orinline 7IS t)$t c$n dic$rd p$cet orter%in$te 9C5 connectionter%in$te 9C5 connection
ue ign$ture $nd $no%$l" detectionue ign$ture $nd $no%$l" detection
%$" proide (lo& d$t$ protection%$" proide (lo& d$t$ protection %onitoring (ull $pplic$tion (lo& content%onitoring (ull $pplic$tion (lo& content
c$n identi(" %$liciou p$cet uingc$n identi(" %$liciou p$cet uing p$ttern %$tc)ing, t$te(ul %$tc)ing, protocolp$ttern %$tc)ing, t$te(ul %$tc)ing, protocol
$no%$l", tr$((ic $no%$l", t$titic$l $no%$l"$no%$l", tr$((ic $no%$l", t$titic$l $no%$l"
c(. S7=89 inline c$n drop*%odi(" p$cetc(. S7=89 inline c$n drop*%odi(" p$cet
-
7/23/2019 14 IDS IPS Firewalls
51/52
5ni!ied5ni!ied
#hreat#hreat
Mana+ementMana+ementProductsProducts
-
7/23/2019 14 IDS IPS Firewalls
52/52
SummarySummary
introduced need (or : purpoe o( (ire&$llintroduced need (or : purpoe o( (ire&$ll
t"pe o( (ire&$llt"pe o( (ire&$ll
p$cet (ilter, t$te(ul inpection, $pplic$tionp$cet (ilter, t$te(ul inpection, $pplic$tion$nd circuit g$te&$"$nd circuit g$te&$"
(ire&$ll )oting, loc$tion, topologie(ire&$ll )oting, loc$tion, topologie
intruion preention "te%intruion preention "te%
top related