Download Defenses-guest

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts

Asynchronous Transfer Mode wikipedia , lookup

Net bias wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Computer network wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Airborne Networking wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Packet switching wikipedia , lookup

Deep packet inspection wikipedia , lookup

Network tap wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Common IS Threat Mitigation Strategies
An overview of common detection and protection technologies
Max Caceres
CORE Security
Technologies
www.coresecurity.com
Common IS Threat Mitigation Strategies: An overview of common detection
and protection technologies
AGENDA

Intro

Securing the Perimeter

Intrusion Detection

Intrusion Prevention

The New Perimeter

Q&A
A risk management approach to security
WHY MITIGATE?

Modern networks are complex systems
–
–
–
Each node has specific security characteristics
Nodes interact with each other
Subject to constant change (business driven)

Security as an emergent characteristic

Focus on risk
–
–
100% bulletproof is an utopian dream
As countermeasures and protection mechanisms evolve, attacks evolve too
Friends in, Foes out. Defining and securing the network perimeter
SECURING THE PERIMETER
Packet filters can control which packets are allowed to get through the firewall
and which are not
PACKET FILTERS

Packet filter
–
–
–

Rules based on individual packets
Real fast
Most popular routers incorporate this
functionality
Firewall
SYN | port 80
Stateful packet filter
–
–
–
Rules can refer to established
sessions or flows
Very fast
Most modern firewalls are stateful
SYN | ACK | ISN# 2222
ACK #2222 | port 80 | data
ACK #bbbb| data
Application layer firewalls provide a more granular control of networked
applications and services
APPLICATION LAYER FIREWALLS

Police traffic at the application layer

Pros
–
–
–

Rules refer to specific services
Can spot protocol deviations and abuses
Very granular control on protocol specifics (deny FTP anonymous login, disable
unused SMTP commands, block “ ‘ “ in HTTP form fields)
Cons
–
–
Resource intensive
Tough to keep up with app-layer protocols
HTTP
HTTP
HTTP
BLOCKED!
GET
GET
Response
/null.printer
/index.html
HTTP
HTTP
GET
Response
/index.html
Firewall
Dividing the network in different physical segments has many advantages
NETWORK SEGMENTATION

Assigning trust to network segments

Pros
–
–
–

Reduces “attack surface” at many levels
Contains or limits successful intrusions
Provides control and audit capabilities for internal traffic
Cons
–
–
Tough to configure and manage if the network is very dynamic
Strict performance requirements
A classic segmentation example: the DMZ
NETWORK SEGMENTATION (2)
Intrusion Detection Systems passively monitor the network’s operation for
attacks and anomalies
INTRUSION DETECTION

Monitor the network for security events
–
–
–

Forensics
–

Network audit trail
Internally deployed
–

Intrusion attempts
Successful attacks
Anomalies
Detect anomalies within the perimeter
Externally deployed
–
Measure threat (?)
There are many different IDS technologies being developed today
INTRUSION DETECTION STRATEGIES

Signature based
–
–

Anomaly
–
–

Sensor sits in monitored host
Network based
–

Watches for anomalies (not known attacks)
Self learned (adapts to the network) / Programmed (follows defined rules)
Host based
–

Watches for known attacks (signatures)
Can detect some well defined anomalies
Sensor sits on network
Hybrids
Each one of these technologies has limitations
INTRUSION DETECTION LIMITATIONS

Signature based
–
–

Anomaly
–
–

Cannot easily absorb change
Some attacks are hard to separate from legitimate traffic
Host based
–
–

Can only detect known attacks (sometimes only specific attack incarnations)
Must be constantly updated
Requires widespread deployment of sensor/agent (hard to manage / expensive)
Introduces complexity into end-systems
Network based
–
Vulnerable to differences in TCP/IP implementations
Intrusion Prevention generates and active response to intrusion events
INTRUSION PREVENTION

Responds actively to security events
–
–
–

Pros
–
–

Terminates network connections
Communicates with the firewall / switch to disconnect / block attacker
Terminates compromised process
Doesn’t require human attention (?)
Can preemptively block known intrusion attempts
Cons
–
–
–
Doesn’t require human attention (!)
Can block legitimate use
Can be turned into a DoS (remember spoofing)
Several different intrusion prevention strategies at the host level are being
developed
HOST IPS

Code injection protection / mitigation
–
–
–

Non executable stack (Sun Solaris)
Non writeable code segment, non executable everything else (OpenBSD, Linux
w/GR Security, Windows XP sp2 w/AMD64)
Address randomization (OpenBSD, GR Security)
Containment
–
–
–
Chroot jails (POSIX)
System call policing, systrace (OpenBSD, NetBSD)
Privilege separation (OpenBSD)
The concept of a network perimeter is coming to an end
THE NEW PERIMETER

Peer 2 Peer

HTTP tunneling
–
SSL

Instant messaging

Rich e-mail clients
Personal firewalls bring packet filtering to the workstation
PERSONAL FIREWALLS

Polices traffic coming in and going out the workstations

Adds the application dimension to the rules

Dynamically configurable

Starts to borrow capabilities from IPS
Q&A
Thank You!
Maximiliano Caceres | [email protected]
http://www.coresecurity.com
Related documents
Slide 1
Slide 1
Intrusion Prevention Systems
Intrusion Prevention Systems
Review Questions
Review Questions
Abstract-The paper`s object is to develop a network intrusion
Abstract-The paper`s object is to develop a network intrusion
Intrusion Detection and Information Fusion/Decision Making
Intrusion Detection and Information Fusion/Decision Making
Network Infrastructure Security
Network Infrastructure Security
Layered Approach Using Conditional Random Fields for Intrusion
Layered Approach Using Conditional Random Fields for Intrusion
EHLANZENI DISTRICT MUNICIPALITY INTRUSION DETECTION
EHLANZENI DISTRICT MUNICIPALITY INTRUSION DETECTION
CIS 203 Artificial Intelligence
CIS 203 Artificial Intelligence
Lecture for Chapter 2.8 (Fall 11)
Lecture for Chapter 2.8 (Fall 11)
Skating on Stilts
Skating on Stilts
PPT
PPT
Foundations of Information Security Webcast - ABA
Foundations of Information Security Webcast - ABA
Case study Compute privacy
Case study Compute privacy
Lecture 13, Part 1
Lecture 13, Part 1
Cooperation in Intrusion Detection Networks
Cooperation in Intrusion Detection Networks
Formal Methods for Intrusion Detection - MSU CSE
Formal Methods for Intrusion Detection - MSU CSE
Computer Security: Principles and Practice, 1/e
Computer Security: Principles and Practice, 1/e
CNS Chapter-4
CNS Chapter-4
7/24/14 1
7/24/14 1
BK22370373
BK22370373
ITC_2013_13-02
ITC_2013_13-02