Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer network wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Wireless security wikipedia , lookup
Network tap wikipedia , lookup
Computer security wikipedia , lookup
NetRanger Intrusion Detection System Marek Mąkowski [email protected] 0600_11F8_c2 The Security Wheel: Defense In-Depth Effective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations… 2) 5) MANAGE & IMPROVE •Centralized Policy & Configuration Management •Trend Analysis •Management Reports •Incident Response SECURE •ID/Authentication •Encryption & VPN •Firewalls •Security Design & Implementation/Integration 1) Corporate Security Policy 3) •Policy Development & Review 4) AUDIT/TEST •Vulnerability Scanning & Analysis •Security Posture Assessment •Risk Assessment MONITOR •Real-Time Intrusion Detection & Response •7x24 Monitoring Why Active Audit? • The hacker might be an employee or ‘trusted’ partner Up to 80% of security breaches are from insiders -- FBI • Your defense might be ineffective One in every thee intrusions occur where a firewall is in place -- Computer Security Institute • Your employees might make mistakes Misconfigured firewalls, modems, old passwords, etc. • Your network will Grow and Change Each change is a security risk Firewalls, Authorization, Encryption do not provide Visibility into these problems Active Audit -- Goal: Visibility • NetRanger Intrusion Detection System Monitors user behaviors while the network on Similar to the guards, video cameras and motion detectors that help secure bank vaults NetRanger Overview • Real-Time Intrusion Detection and Response • Finds and stops unauthorized activity occurring on the network --- “reactive” appliance • Network “motion sensor, video camera, and security guard” • Industry-leading technology Scalable, distributed operation High performance (100MB Ethernet, FDDI, Token Ring) “On-the-fly” re-configuration of Cisco Router ACLs to shun intruders NetRanger Architecture NetRanger Director NetRanger Sensor * Software * * Appliance * Comm • Alarm Handling • Configuration Control • Signature Control • • • • Detection Alarm Generation Response Countermeasures Sensor Appliance Sensor Front Panel Sensor Back Panel Monitoring NIC Command NIC Attack Signature Detection • Scans Packet Header and Payload Single and multiple packet attacks • Three-tier Attack Detection 1. Name Attacks (Smurf, PHF) 2. General Category (IP Fragments) 3. Extraordinary (TCP Hijacking, E-mail Spam) • Customer Defined Signatures String matching (words) Quickly defend against new attacks Scan for unique misuse Sensor—Detect Intrusions Ping of Death Context: (Header) Content: (Data) Port Sweep SYN Attack Land Attack MS IE Attack TCP Hijacking Telnet Attacks DNS Attacks Character Mode Attacks “Atomic” Single Packet “Composite” Multiple Packets Sensor—Event Logging Events are Logged for Three Different Activities Alarms—when signature is detected Errors—when error is detected Commands—when user executes command on Director or Sensor 0973_03F8_c2 NW98_US_401 Ping Sweep Lost Communications Director Sensor Shun Attacking Host Director Sensor 30 Sensor—Attack Response Session Termination and Shunning Session Termination Kills an active session Attacker Kill current session TCP Hijack Sensor Shun Attacker Shunning Reconfigure router to deny access Network Device Sensor Sensor—Session Logging • Capture evidence (Keystrokes) of suspicious or criminal activity • Fish Bowl or Honeypot -- Learn and record a hacker’s knowledge of your network Attack Attacker Sensor Session Log Protected Network NetRanger Deployment Corporate Network Engineering NetRanger Cisco Secure Server NetRanger ID/Auth. TACACS+ Finance PIX Firewall IOS Firewall Cisco Router Internet Switch NR/NS NetSonar WWW Server NetRanger NetRanger Admin DNS Server DNS Cisco Router Dial-Up Access Cisco Router Business Partner NetRanger Director Remote Security Monitoring NetRanger Director • Geographically Oriented GUI Operations-friendly HP OpenView GUI Color Icon Alarm notification Quickly pinpoint, analyze and respond Maintain Security operations consistency • Network Security Database Attack info, hotlinks, countermeasures Customizable • Monitor Hundreds of Sensors per NOC Software Requirements Operating Systems Solaris 2.5.1 or 2.6 HP-UX 10.20 HP OpenView 4.11, 5.01, 6.0 Web browser (for NSDB) Hardware Requirements • Sun SPARC platform with: NetRanger install partition: /usr/nr (50 MB) NetRanger log partition: /usr/nr/var (2 GB) HP OpenView install partition: /opt (110 MB) Java run-time environment: /opt (12 MB) System RAM: 96 MB Hardware Requirements (cont.) • HP-UX platform with: NetRanger install partition: /usr/nr (50 MB) NetRanger log partition: /usr/nr/var (2 GB) HP OpenView install partition: /opt (65 MB) Java run-time environment: /opt (10 MB) System RAM: 96 MB Director - Distributed Management • Enterprise Strategic Management Director Tier 1 • Regional Operational Management Director Tier 2 Director Tier 3 N e t R a n g e r TM N e t R a n g e r TM • Local Network Security Management Director Tier 3 N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM N e t R a n g e r TM Alarm Display and Management Context intrusion alarm Sensor icon Director icon Content intrusion alarm Configuration Management Network Security Database • On-line reference tool • Contains: Descriptions Recommendations and fixes Severity ratings Hyperlinks to external information/patches E-mail and Script Execution E-mail Notification Sends notification to e-mail recipient or pager. Custom Script Execution Starts any userdefined script. The Security Wheel: Defense In-Depth Effective network security requires defense in-depth, multiple capabilities - a combination of framework/process, technology, and expertise/ongoing operations… 2) 5) MANAGE & IMPROVE •Centralized Policy & Configuration Management •Trend Analysis •Management Reports •Incident Response SECURE •ID/Authentication •Encryption & VPN •Firewalls •Security Design & Implementation/Integration 1) Corporate Security Policy 3) •Policy Development & Review 4) AUDIT/TEST •Vulnerability Scanning & Analysis •Security Posture Assessment •Risk Assessment MONITOR •Real-Time Intrusion Detection & Response •7x24 Monitoring What comprises Active Audit? NetRanger NetSonar • Real-time analysis • Vulnerability scanning • Intrusion detection • Dynamic response • Assurance • Network mapping • Measure exposure • Security expertise Reactive Proactive NetSonar™ Security Scanner “Proactive Security” 0305_10F8_c2 Active Audit—Network Vulnerability Assessment • Assess and report on the security status of network components Scanning (active, passive), vulnerability database NetSonar NetSonar Overview • Vulnerability scanning and network mapping system • Identifies and analyzes security vulnerabilities in ever-changing networks -- “proactive” software • Industry-leading technology Network mapping Host and device identification Flexible reporting Scheduled scanning Network Discovery Process Network Mapping • Identify live hosts • Identify services on hosts Vulnerability Scanning • Analyze discovery data for potential vulnerabilities • Confirm vulnerabilities on targeted hosts Target Target Target Target Network Mapping Tool • Uses multiple techniques Ping sweeps - Electronic Map Port sweeps - Service discovery • Unique discovery features Detects workstations, routers, firewalls, servers, switches, printers, and modem banks Detects Operating Systems and version numbers Does not require SNMP Vulnerability Assessment Engine • Potential Vulnerability Engine -- Passive Compares network discovery data to rules to reveal potential vulnerabilities • Confirmed Vulnerability Engine -- Active Uses well-known exploitation techniques to fully confirm each suspected vulnerability and to identify vulnerabilities not detected during passive mapping How NetSonar Works FTP Bounce Exploit Network Discovery Ping Sweep - ID Hosts Port Sweeps - ID Svcs Router Passive Vulnerability Analysis Discovery data analyzed by rules Active Email Svr Web Svr Firewall • SMTP • FTP Active Vulnerability Analysis Presentation & Reporting Exploits executed against target hosts Inactive Workstation Communicate results • HTTP • FTP • Telnet Workstation: Windows NT v4.0 •SMB Redbutton •Anonymous FTP