* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Defenses-guest
Survey
Document related concepts
Asynchronous Transfer Mode wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer network wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Packet switching wikipedia , lookup
Deep packet inspection wikipedia , lookup
Network tap wikipedia , lookup
Transcript
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com Common IS Threat Mitigation Strategies: An overview of common detection and protection technologies AGENDA Intro Securing the Perimeter Intrusion Detection Intrusion Prevention The New Perimeter Q&A A risk management approach to security WHY MITIGATE? Modern networks are complex systems – – – Each node has specific security characteristics Nodes interact with each other Subject to constant change (business driven) Security as an emergent characteristic Focus on risk – – 100% bulletproof is an utopian dream As countermeasures and protection mechanisms evolve, attacks evolve too Friends in, Foes out. Defining and securing the network perimeter SECURING THE PERIMETER Packet filters can control which packets are allowed to get through the firewall and which are not PACKET FILTERS Packet filter – – – Rules based on individual packets Real fast Most popular routers incorporate this functionality Firewall SYN | port 80 Stateful packet filter – – – Rules can refer to established sessions or flows Very fast Most modern firewalls are stateful SYN | ACK | ISN# 2222 ACK #2222 | port 80 | data ACK #bbbb| data Application layer firewalls provide a more granular control of networked applications and services APPLICATION LAYER FIREWALLS Police traffic at the application layer Pros – – – Rules refer to specific services Can spot protocol deviations and abuses Very granular control on protocol specifics (deny FTP anonymous login, disable unused SMTP commands, block “ ‘ “ in HTTP form fields) Cons – – Resource intensive Tough to keep up with app-layer protocols HTTP HTTP HTTP BLOCKED! GET GET Response /null.printer /index.html HTTP HTTP GET Response /index.html Firewall Dividing the network in different physical segments has many advantages NETWORK SEGMENTATION Assigning trust to network segments Pros – – – Reduces “attack surface” at many levels Contains or limits successful intrusions Provides control and audit capabilities for internal traffic Cons – – Tough to configure and manage if the network is very dynamic Strict performance requirements A classic segmentation example: the DMZ NETWORK SEGMENTATION (2) Intrusion Detection Systems passively monitor the network’s operation for attacks and anomalies INTRUSION DETECTION Monitor the network for security events – – – Forensics – Network audit trail Internally deployed – Intrusion attempts Successful attacks Anomalies Detect anomalies within the perimeter Externally deployed – Measure threat (?) There are many different IDS technologies being developed today INTRUSION DETECTION STRATEGIES Signature based – – Anomaly – – Sensor sits in monitored host Network based – Watches for anomalies (not known attacks) Self learned (adapts to the network) / Programmed (follows defined rules) Host based – Watches for known attacks (signatures) Can detect some well defined anomalies Sensor sits on network Hybrids Each one of these technologies has limitations INTRUSION DETECTION LIMITATIONS Signature based – – Anomaly – – Cannot easily absorb change Some attacks are hard to separate from legitimate traffic Host based – – Can only detect known attacks (sometimes only specific attack incarnations) Must be constantly updated Requires widespread deployment of sensor/agent (hard to manage / expensive) Introduces complexity into end-systems Network based – Vulnerable to differences in TCP/IP implementations Intrusion Prevention generates and active response to intrusion events INTRUSION PREVENTION Responds actively to security events – – – Pros – – Terminates network connections Communicates with the firewall / switch to disconnect / block attacker Terminates compromised process Doesn’t require human attention (?) Can preemptively block known intrusion attempts Cons – – – Doesn’t require human attention (!) Can block legitimate use Can be turned into a DoS (remember spoofing) Several different intrusion prevention strategies at the host level are being developed HOST IPS Code injection protection / mitigation – – – Non executable stack (Sun Solaris) Non writeable code segment, non executable everything else (OpenBSD, Linux w/GR Security, Windows XP sp2 w/AMD64) Address randomization (OpenBSD, GR Security) Containment – – – Chroot jails (POSIX) System call policing, systrace (OpenBSD, NetBSD) Privilege separation (OpenBSD) The concept of a network perimeter is coming to an end THE NEW PERIMETER Peer 2 Peer HTTP tunneling – SSL Instant messaging Rich e-mail clients Personal firewalls bring packet filtering to the workstation PERSONAL FIREWALLS Polices traffic coming in and going out the workstations Adds the application dimension to the rules Dynamically configurable Starts to borrow capabilities from IPS Q&A Thank You! Maximiliano Caceres | [email protected] http://www.coresecurity.com