common is threat mitigation strategies an overview of common detection and protection technologies...
Post on 15-Jan-2016
213 views
TRANSCRIPT
Common IS Threat Mitigation Strategies
An overview of common detection and protection technologies
Max CaceresCORE Security Technologies
www.coresecurity.com
Common IS Threat Mitigation Strategies: An overview of common detection and protection technologies
Intro
Securing the Perimeter
Intrusion Detection
Intrusion Prevention
The New Perimeter
Q & A
AGENDA
A risk management approach to security
Modern networks are complex systems– Each node has specific security characteristics– Nodes interact with each other– Subject to constant change (business driven)
Security as an emergent characteristic
Focus on risk– 100% bulletproof is an utopian dream– As countermeasures and protection mechanisms evolve, attacks evolve too
WHY MITIGATE?
Friends in, Foes out. Defining and securing the network perimeter
SECURING THE PERIMETER
attacker
attacker
attacker
attacker
internet
attacker
Firewall
Corporate
Packet filters can control which packets are allowed to get through the firewall and which are not
Packet filter– Rules based on individual packets– Real fast– Most popular routers incorporate
this functionality
Stateful packet filter– Rules can refer to established
sessions or flows– Very fast– Most modern firewalls are stateful
PACKET FILTERS
client server
SYN | port 80
SYN | ACK | ISN# 2222
ACK #2222 | port 80 | data
ACK #bbbb| data
Firewall
Application layer firewalls provide a more granular control of networked applications and services
Police traffic at the application layer
Pros– Rules refer to specific services– Can spot protocol deviations and abuses– Very granular control on protocol specifics (deny FTP anonymous login, disable
unused SMTP commands, block “ ‘ “ in HTTP form fields)
Cons– Resource intensive– Tough to keep up with app-layer protocols
APPLICATION LAYER FIREWALLS
Server
clientFirewall
HTTP GET /index.htmlHTTP GET /null.printerHTTP Response HTTP ResponseHTTP GET /index.htmlBLOCKED!
Dividing the network in different physical segments has many advantages
Assigning trust to network segments
Pros– Reduces “attack surface” at many levels– Contains or limits successful intrusions– Provides control and audit capabilities for internal traffic
Cons– Tough to configure and manage if the network is very dynamic– Strict performance requirements
NETWORK SEGMENTATION
A classic segmentation example: the DMZ
NETWORK SEGMENTATION (2)
workstation
Server Server Server
client
Router
Firewall
Backend server
client
client
workstation
workstation
Intrusion Detection Systems passively monitor the network’s operation for attacks and anomalies
Monitor the network for security events– Intrusion attempts– Successful attacks– Anomalies
Forensics– Network audit trail
Internally deployed– Detect anomalies within the perimeter
Externally deployed– Measure threat (?)
INTRUSION DETECTION
There are many different IDS technologies being developed today
Signature based– Watches for known attacks (signatures)– Can detect some well defined anomalies
Anomaly– Watches for anomalies (not known attacks)– Self learned (adapts to the network) / Programmed (follows defined rules)
Host based– Sensor sits in monitored host
Network based– Sensor sits on network
Hybrids
INTRUSION DETECTION STRATEGIES
Each one of these technologies has limitations
Signature based– Can only detect known attacks (sometimes only specific attack incarnations)– Must be constantly updated
Anomaly– Cannot easily absorb change– Some attacks are hard to separate from legitimate traffic
Host based– Requires widespread deployment of sensor/agent (hard to manage / expensive)– Introduces complexity into end-systems
Network based– Vulnerable to differences in TCP/IP implementations
INTRUSION DETECTION LIMITATIONS
Intrusion Prevention generates and active response to intrusion events
Responds actively to security events– Terminates network connections– Communicates with the firewall / switch to disconnect / block attacker– Terminates compromised process
Pros– Doesn’t require human attention (?)– Can preemptively block known intrusion attempts
Cons– Doesn’t require human attention (!)– Can block legitimate use– Can be turned into a DoS (remember spoofing)
INTRUSION PREVENTION
Several different intrusion prevention strategies at the host level are being developed
Code injection protection / mitigation– Non executable stack (Sun Solaris)– Non writeable code segment, non executable everything else (OpenBSD, Linux
w/GR Security, Windows XP sp2 w/AMD64)– Address randomization (OpenBSD, GR Security)
Containment– Chroot jails (POSIX)– System call policing, systrace (OpenBSD, NetBSD)– Privilege separation (OpenBSD)
HOST IPS
The concept of a network perimeter is coming to an end
Peer 2 Peer
HTTP tunneling– SSL
Instant messaging
Rich e-mail clients
THE NEW PERIMETER
client
workstation
attacker
workstation
Personal firewalls bring packet filtering to the workstation
Polices traffic coming in and going out the workstations
Adds the application dimension to the rules
Dynamically configurable
Starts to borrow capabilities from IPS
PERSONAL FIREWALLS
Q & A