350 likes | 666 Vues
IPS News. Germán Zurro Valdez gzurro@checkpoint.com. Agenda. 1. Is IPS still neded ?. 2. Check Point in IPS market. 3. IPS Managed Services. 4. Product News!. Agenda. 1. Is IPS still neded ?. 2. Check Point in IPS market. 3. IPS Managed Services. 4. Product News!.
E N D
IPS News Germán Zurro Valdez gzurro@checkpoint.com
Agenda 1 Is IPS still neded? 2 Check Point in IPS market 3 IPS Managed Services 4 Product News!
Agenda 1 Is IPS still neded? 2 Check Point in IPS market 3 IPS Managed Services 4 Product News!
Dynamic Threat Landscape Over 100 attacks per second ! A new malware is generated every second !
Why Is IPS Needed? RSA 0-Day in Adobe Flash Player Embedded in Microsoft Excel File (“2011 Recruitment Plan.xls”) HBGary, Epsilon,Sony Picture SQL Injection 0-Day Attacks Complex, Polymorphic Attacks Advanced Persistent Threats (APTs) XSS Sony PSN Old and vulnerable versionof Apache web serverANDNo perimeter FW! DDoS Vulnerability Attacks Compliance Requirements
Why Is IPS Needed? RSA 0-Day in Adobe Flash Player Embedded in Microsoft Excel File (“2011 Recruitment Plan.xls”) HBGary, Epsilon,Sony Picture SQL Injection 0-Day Attacks Complex, Polymorphic Attacks Advanced Persistent Threats (APTs) XSS Sony PSN Old and vulnerable versionof Apache web serverANDNo perimeter FW! DDoS Vulnerability Attacks Compliance Requirements
Agenda 1 Is IPS still neded? 2 Check Point in IPS market 3 IPS Managed Services 4 Product News!
Continued Industry Leadership #1 inAdobe Reader, Acrobat Threat Coverage 2009, 2010, 2011 #1 in Microsoft Threat Coverage 2008, 2009, 2010 and 2011 Check Point Check Point 185 620 Sourcefire 148 Sourcefire Cisco 590 483 90 Juniper HP Tipping Point 498 Tipping 70 Juniper 344 28 41 Cisco McAfee McAfee 342 Signature counts attained from vendor public web sites.
Superb 3rd Party Validation • No Other Vendor Has the BESTFW, IPS and NGFW! IPS Next Gen FW and IPS • NSS IPS Recommended 2011 • 97.3% Security Score • Gartner FW MQ (including integrated IPS) • Leader for 12 years • Gartner IPS MQ – Niche • NSS FW Recommended 2011 • Only vendor to pass • NSS NGFW Recommended 2011 • World’s First • Gartner NGIPS Definition
Agenda 1 Is IPS still neded? 2 Check Point in IPS market 3 IPS Managed Services 4 Product News!
Daily Security Challenge • Priority One: Maintain production operations! • Secure against all threats including targeted APTs • Monitor the flood of IPS security events • Optimize IPS protection policy against a dynamic threat landscape
IPS Management Challenges • Many hundreds to thousands of events per day… • Which events are serious? • How should protection policy be tuned? • We don’t have time…
Introducing IPS Managed Services 24/7 IPS MANAGEMENT BY CHECK POINT EXPERTS 1. Actionable attack alerts 2. Ongoing tuningof IPS protections 3. Global attack intelligence& benchmarks
How Does It Work? Check Point SOC Customer IPSSoftware Blades Actionable attack alerts On-going policy tuning Global intelligence IPS Managed Service Portal Customer FW IPS events
Expert Monitoring for Actionable Alerts • Many hundreds to thousands of events per day… Few Actionable Alerts Per Week! 24/7AnalysisbyCheckPointExperts
Get Actionable Attack Alerts • Instant alert • What happened? • What to do next?
Check Point IPS Managed Services CUSTOMER BENEFITS 1. Tremendous time savings 2. Expert monitoring 3. Meet compliance requirements 4. Better security – Actionable attack alerts – Ongoing tuningof IPS protections – Global attack intelligence& benchmarks
Agenda 1 Is IPS still neded? 2 Check Point in IPS market 3 IPS Managed Services 4 Product News!
Product news! IPS CLI New Geo Protection ImpliedExceptions Fail Open NICs SnortConversionTool
IPS CLI • We now allow making temporal changes to IPS directly from CLI • Enable/disable IPS on the GW • Trigger bypass manually or configure it’s thresholds • Turn on debug • Gather performance statistics regarding IPS protections to help identify high CPU utilizing protections • All changes are temporal and are overriden by a policy push, reboot and cpstop/cpstart
Geo Protection • The Geo-protection is now much more accurate. • New vendor is used • Missing countries were added to the list • North Korea • Somalia • Etc’
Implied exceptions • Implied exceptions ignore Check Point products’ originated traffic so as not to block our own communication • SSL on non-standard ports • HTTP on non-standard ports • SSL tunneling • View the exceptions by checking the “IPS implied exception” option http://wiki.checkpoint.com/confluence/display/GlobalPO/Freud+-+Implied+exceptions
What is Snort? Open source network intrusion prevention and detection system (IPS/IDS) De-facto standard for communities writing of open network detection signatures Created by Martin Roesch in 1998 Current CTO of SourceFire Latest version is 2.9.x More info at http://www.snort.org
Snort rules Snort rules are similar to what we in Check Point call protections • Rules are stored in (multiple) text files • One rule is one line of a text based language with a predefined syntax • The syntax have evolved and can today detect patterns in many different ways • Rules can call pre-processors to better look for patterns in advanced protocols Snort rules capabilities are similar but also very different from the proprietary Check Point protection language
Snort rule syntax - example alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) Elements before parentheses is the ‘rule header’ alert action to take; also log, pass, activate, dynamic tcpprotocol; also udp, icmp, ip $EXTERNAL_NET source address; this is a variable – can also be IP 27374source port; also any, negation (!21), range (1:1024) -> direction; <- and <> is also allowed $HOME_NET destination address; this is also a variable here any destination port
Snort rule syntax - example alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) Elements in parentheses are ‘rule options’ msg:”BACKDOOR subseven 22”; message to appear in logs flags: A+; tcp flags; many options, like SA, SA+, !R, SF* content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches reference…; where to go to look for background on this rule sid:103; rule identifier classtype: misc-activity; rule type; many others rev:4; rule revision number other rule options possible, like offset, depth, nocase, and many more
Custom made Snort rule Simple rule that will trigger on normal traffic alert tcp any any -> any any (msg:"Look for packets including www.checkpoint.com within first 200 bytes"; flow:established,to_server; file_data; content:"www.checkpoint.com"; within:200; ) Looks for www.checkpoint.com within the first 200 bytes of TCP sessions
Some Snort rules distributions Official Snort Rules • URL: http://www.snort.org/snort-rules/ • Annual subscription for immediate access • Released to registered users after 30 days Emerging Threats • URL: http://www.emergingthreats.net • Free Snort rules for emerging threats • Also paid Pro package with enhanced coverage SCADA rules • URL: http://www.digitalbond.com/tools/quickdraw/ • Open source collection of SCADA rules • Also adds several SCADA preprocessors
Snort rules import in R75.40VS Developed due to customer requests • Converts Snort rule text files into IPS Blade protections • One rule is one protection • Listed among other Check Point provided protections • New group in IPS protection tree: SNORT Imported • Conversion is done on the management • CLI tool called SnortConverter • Converts the rules file and imports it into the protection DB • Needs GUI R/W lock
Snort protections properties Snort protections are automatically assigned to • The name of the imported Snort protection is the value of the msg field in the original SNORT rule • If one SNORT rule has multiple msg strings with the same value, they are aggregated to one IPS Snort protection • If multiple rules are imported at different times and have the same msg string, the new import overrides the old protection Severity Confidence Level Performance Impact High Medium-Low High
Other things to know.. • Direction rules • ->will create Server protections • <- will create Client protections • <> will create Server and Client protections • Many combinations of keywords and modifiers are implemented differently in the IPS blade as Snort protections than in SNORT Rules • More details in IPS Admin guide • We recommend you test them before activating them in a production environment • Debug messages from the last SnortConvertorrun is saved in • $FWDIR/log/SnortConvertor.elg • To find failed rule debugs search for: Failed to convert rule
ROADMAP FW / IPS duties Rulebase for IPS Unified with AB IPv6