1 / 36
Télécharger la présentation

Cyberdefense Technologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyberdefense Technologies Firewalls Intrusion detection And beyond

  2. Defensive Strategy • Deceive the attacker • Frustrate the attacker • Resist the attacker • Recognize and Respond to the attacker

  3. Security Desires • Logging of successful connections, rejected packets and suspected attacks • Immunity to Denial of Service attacks • Protection against information gathering probes

  4. Defenses against DOS • The best defense against DDos attacks is to prevent initial system compromises • However, even vigilant hosts can become targets because of lesser prepared, less security aware hosts • It is difficult to specifically defend against becoming the ultimate target of a DDos attack but protection against being used as a daemon or master system is more easily attainable

  5. Ingress Filtering • Ingress filtering manages the flow of traffic as it enters a network under your administrative control • Servers are typically the only machines that need to accept inbound connections from the public Internet • Ingress filtering can be performed at the border to prohibit externally initiated inbound connections to non-authorized services

  6. Egress Filtering • Egress filtering manages the flow of traffic as it leaves a network under your administrative control • Egress filtering from sources like university campuses can make a difference • Egress filtering alone does not provide a complete solution to the problem

  7. Firewalls • Defensive “middle ground” between public and protected network • The demands from a firewall can differ significantly • An internal network, where a balance has to be found between what can come in and out, a website publicly accessible or a virtual Private Network pose very different problems

  8. Firewalls are for policy control • They permit a site’s administrator to set a policy on external access • Just as file permissions enforce an internal security policy, a firewall can enforce an external security policy

  9. Firewall Technologies • Network Address Translation (NAT) • Most use packet filtering rules to determine packet access • Some use “stateful inspection” to manage connections • Some application proxy support • A few allow custom proxy creation *BONUS*

  10. Static Packet Filtering • Uses information in Packet headers: • Destination IP address • Source IP subnet • Destination service Port • Information compared with Access Control List (ACL) • Flag (TCP): stop Anything with SYN=1, but port scanners can choose to have ACK=1,FIN=1, all other flags set to 0… • Flag Not an option with UDP

  11. Internet router is blocking tcp/udp ports 135-139 Firewall allows only outbound http (80) and smtp (25) traffic Example Attack Hacker’s Objective:Gain control of internal NT server from Internet

  12. Dynamic Packet Filtering (Stateful Inspection) • Acts on the same principle as Static Packet Filtering, but maintains a connection or “state” table in order to monitor communication session • Less easy to abuse • Filtering hard to configure to full satisfaction and reduces router’s performance

  13. Problems with Firewalls • Conventional firewalls rely on the notions of restricted topology and control entry points to function • Everyone on one side of the firewall is to be trusted • Anyone on the other side is potentially an enemy • “extranets” can allow outsiders to reach the “inside” of the firewall • Some machines need more access to the outside than do others • End-to-end encryption: firewalls generally do not have the necessary keys to inspect traffic • Log review, software currency, … (high maintenance)

  14. Distributed Firewalls • In such a scheme, policy is still centrally defined; enforcement, however, takes place on each endpoint • Helps control trust issues

  15. Distributed Firewalls

  16. Distributed Client/Server

  17. What are Honeypots? • Honeypots are one of the methods used in intrusion detection • Setup a "decoy" system • Non-hardened operating system • Appears to have several vulnerabilities • Similar configuration to production • Fake content • Deceive intruder for alert and study

  18. Attracting Blackhats • What do you do to attract blackhats to your Honeypot? • Absolutely nothing, that is the scary part. You have to sit back and wait. • The blackhat community is extremely aggressive, you would be surprised at what they will find.

  19. Honeypot as attack host • Once compromised, can't the bad guys use one of your honeypots to attack someone else? • That risk exists ! • use several layers of access control devices that limit and control what type of outbound connections are allowed, and how many

  20. The Honeynet project • Distributed team of security experts • Hardware to capture and analyze intruder activity • Evolving honeypot technology and attack analysis

  21. What’s wrong with honeypots? • The insurance model will not allow you to take unnecessary risks without a substantial increase in premium • Risk management says that honey pots increase risk for demonstrably invalid reasons • You can learn more by using better instrumentation • Transient effectiveness

  22. Transient Effectiveness • The threat reality is that most attackers are morons and will attack with DoS if denied real access • Honey pots must be kept up to date but in general aren’t • Honey pots must act like the host operating system • Fix current problems rather than generating new ones

  23. Too many hosts to secure • Virtually all operating systems and network devices are insecure out of the box • This must change • Operating systems maintained by normal users must be set to take care of themselves by default • Growth of the net will be the single largest factor as to why there are so many vulnerable systems • It is unrealistic to assume that the net will ever be safe

  24. Where does IDS fit? • IDS are useful as an additional layer of defense, no more • IDS are not helpful when advanced attackers are attacking you with new attacks • Two major types today: network IDS (snort) and host IDS (AIDE, log watcher, etc) • Missing IDS type: application IDS • High false alarm rates (wasted admin time)

  25. IDS and Policy • Security Policy is the first step (defining what is acceptable and what is being defended) • Notification • Who, how fast? • Response Coordination

  26. Jane did a port sweep! NMAP

  27. Honeypot (Deception System) Generic Server (Host-Based ID) (Snort 2.0) Internet Firewall (Perimeter Logs) Filtering Router (Perimeter Logs) Statistical IDS (Snort) Network IDS (Snort) IDS Implementation Map

  28. Detection Engine • Rules form “signatures” • Modular detection elements are combined to form these signatures • Wide range of detection capabilities • Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc. • Rules system is very flexible, and creation of new rules is relatively simple

  29. Learning More • www.snort.org • Writing Snort Rules • www.snort.org/snort_rules.html • FAQ, USAGE file, README file, man page • Snort mailing lists • Books • Intrusion Detection: An Analysts Handbook by Northcutt • Intrusion Signatures and Analysis by Northcutt • The Practical Intrusion Detection Handbook by Paul Proctor

  30. But What Slips Through? • Signatures based on traffic model • Attacks stay with same source IP set • Signature assume fixed characteristics • Packets involving attack stay with similar content • Signature assume obvious distinction from legitimate traffic • What is legitimate is never malicious

  31. How do We Catch the Slips? • Non-signature based collection • Short-term (hours, max) packet collection, rotating -> libpcap • Medium-term (weeks, max) headers+content summary -> expanded flow • Long-term (years) headers+sizes -> flow • Privacy concerns • Efficiency concerns • Sampling concerns

  32. What can You Do with Just Flows? • Indicative, not probative • Time-series, with departures • DDoS ramp-up • Scanning: worms/virus • Threashold violations • Spam vs. email • Streaming media vs. web browsing • Locality violations • Malware beaconing • Worms/virus • Spyware

  33. Automated Response • Ongoing work • Local indicators fused to alert • Firewalls/IDS exchange intrusion information • IODEF standard • Dynamically alter firewall rules • Dynamically alter routing tables to reconfigure network

  34. Layered Architecture

  35. Frustrate Deceive Recognize Respond Layered Defenses Source: Shawn Butler, Security Attribute Evaluation Method Goal 1 Goal 8 Goal 2 Goal 7 Goal 3 Goal 6 Goal 5 Goal 4

More Related