1 / 133

Tuning Cisco IPS

Tuning Cisco IPS. Fabien Gandola – Consulting System Engineer. “I am Receiving E vents !”. Job ‘s done !. But…. Are you sure the default policy provided by Cisco matches exactly your needs ?. And Even if it Does…. Do you want the same policy everywhere ?. Agenda. Reduce False Positive.

onawa
Télécharger la présentation

Tuning Cisco IPS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tuning Cisco IPS Fabien Gandola – Consulting System Engineer

  2. “I am Receiving Events !” Job ‘s done !

  3. But… Are you sure the default policy provided by Cisco matches exactly your needs ?

  4. And Even if it Does… Do you want the same policy everywhere ?

  5. Agenda Reduce False Positive Reduce Noise Introduction Reduce False Negative 13:00 Exemple with IME Create Custom Signature Service String TCP Choose the Engine Service HTTP 15:00 Case Studies Choose the Action Conclusion Risk Rating Parameters

  6. Abstract “My IPS is up and running with the default configuration, I start receiving events... WHAT'S NEXT ?" In 2 hours, no way to transform you in an experimented incident analyst but i can give you the different questions to ask yourself in order to orient the policy of your sensors, the different options to tune your IPS and via practical examples what you can do in order to reduce noise or false positive while limiting the risk of false negative. This breakout is intended for security administrators currently using Cisco IPS or planning to use them. In order to get the best of this session, it is recommended to have basic understanding of IPS/IDS technologies, it is a plus to know Cisco IPS solution.

  7. Here is a set of Questions : • Do you mind risking to block valid transactions in order to get better protection ? • Do you mind having a “noisy” IPS to be able to see all alerts ? • Do you want to be notified for every events ? • Do you have the skills and time to investigate ?

  8. Policies Examples : Internet Edge • To monitor traffic and get statistics Before the firewall In IDS mode Large spectrum of signatures No action for protection • To protect from internet After firewall In IPS mode Signature focusing on allowed traffic by FW Aggressive actions using Global correlation

  9. Policies examples : Datacenter • Transactions are critical After FW In IDS mode Focused signatures on allowed traffic by FW as well as the type of servers and applications (OS, Web servers, Database, Unified Communication…) No protection actions just alerting • Assets are critical After FW In IPS mode Focused signatures on allowed traffic by FW as well as the type of servers and applications (OS, Web servers, Database, Unified Communication…) Actions only for very high risk rating event

  10. Policies Examples : Campus • To monitor internal traffic and get statistics In IDS mode Focus on well-known current alerts for end user applications as well not authorized applications (P2P, IM..) No action for protection but reporting • To protect internally and enforce good use policy In IPS mode Focus on well-known current alerts for end user applications as well not authorized applications (P2P, IM,..) Aggressive actions

  11. You may need to tune your policy

  12. Why Tuning IPS Sensors • Traffic is from a trusted source • High rate of alarms • High rate of false positive • Not the ideal action response to alarm Tuning is a key part of IPS deployments The data reduction that results from proper tuning is essential for a fully functional system Not every sensor needs to alert on every event Implementing environment specific configurations increases scalability of the entire system

  13. How to Tune • By direction of traffic • By severity level • By retiring/disabling a signature • By summarizing the alarm to reduce the rate at which it triggers. • By filtering signatures based on traffic • By creating environment variable to easily identify the source and the destination

  14. Where to Start If you can’t afford the risk of impacting valid traffic, use IDS mode during the tuning phase. IDS Mode Sensing Interface received copies of network traffic from a SPAN port, hub, tap, or VACL Capture. It does not sit in the flow of traffic. It is possible to deploy an IPS in-line but to use it only as a detection system without impacting the traffic. TIP

  15. IPS Physically Inline Management Network IPS sits in the flow of the traffic. It is inspecting the the real traffic in real time receiving packets from it physical or virtual interfaces Internet Host

  16. Deployment: IPS Working as IDS (1) • Disable Deny Packet Action in HIGHRISK • Set Normalizer to asymmetric mode

  17. Deployment: IPS Working as IDS (2) Create a Event Action Filter, for all Signatures and all Sources / Destinations...

  18. Deployment: IPS Working as IDS (3) ...that removes all DENY Actions

  19. Monitoring with the Default Signatures • Start by monitoring the default configuration Monitor for up to 2 weeks your traffic to get a baseline Regroup alerts per signature to detect the most noisy ones Regroup per host to detect potential trusted sources to filter out Regroup per severity to investigate the most serious ones • It’s all about the risk Use risk rating values to help drive your security policy We can’t use threat rating as in tuning phase we usually don’t take any actions and Risk Rating = Threat Rating It is recommended to create VS1 and Sig1 so you can revert easily to default settings without loosing your changes. TIP

  20. It’s All About Balance…

  21. Three Main Targets • The Noise : A set of alarms which is legitimate but of low priority (port scan from internet) is considered as Noise • The False Positive: An alarm is considered a false positive if it is triggered by legitimate traffic • The False Negative: An attack which has not been detected (evasion technique used) is called a False negative

  22. Agenda Reduce Noise Introduction 13:00 15:00

  23. Reduction of Noise

  24. Noise Reduction There are 3 effective simple strategies • A simple way to reduce the noise is to limit alerting to high severity alerts only using the policy tuning • Use summarization for the noisy signature • Create directional filters

  25. How do I Limit Alerting ?

  26. Summarization • Purpose: Provide solution to manage the amount of alertsand mitigate the risk of Denial-of-Service by saturating IPS or humanoperator by creatingexcessnumber of IPS alarms... • Summary mode:FireAll, FireOnce, Summarize, Global-summarize • Using Specify-summary-threshold parameter, it is possible to dynamically change to summary mode if a specific signature is firing to many alerts • Summary-Key helps define the criteria for summarization (Axxx – AxBx - Axxb – xxBx – AaBb) • Summary-interval is the time in seconds used for each summary alert.

  27. Summarization Example

  28. Directional Filters • Some signature are only relevant when fired in a specific direction or from a specific location. • Reporting all exploit attempts coming from Internet might not be relevant BUT • Reporting the same exploit coming from Inside your network could be • One of your machine might be infected and is trying to infect other machines • Use filters based on Signature and IP address source or destination Example: Sig 4703 MSSQL Resolution Service Stack Overflow Effective to catch Slammer Directional tuning to detect internal infected host

  29. Create Event Variables

  30. Agenda Reduce False Positive Reduce Noise Introduction 13:00 15:00

  31. Reduction of False Positive

  32. Reduction of False Positives There are 4 main strategies to deal with false positives: • Alarm and signature filtering, where the resulting alarm or signature is (selectively) disabled • Signature tuning, where the triggering signature is altered and tuned to the environment • Use Meta engine, in order to correlate several events to increase the confidence and fidelity • Use Global Correlation in order to increase confidence that the traffic is a real attack

  33. Alarm and Signature Filtering • Retire the signature • Disable the signature • Change the default severity of the signature • Filter the signature for specific ports • Filter the signature for specific hosts or networks

  34. Signature Tuning 1/2 Tunable thresholds Number/rate of events to form a set in a specific amount of time: • Decrease the limits if they are exceeded too often. • Increase the time interval • Could be modified per-host • Very different from summarization ! Exemples : 3 failedattempts to authenticate More than 100 embryonic connections from the same host

  35. Signature Tuning 2/2 Tunable content • Change the range of allowed parameters (for example, exclude a destination port) • With string matching, tighten the pattern to match fewer instances of legitimate data • More information in the section “Create a new signature”

  36. META Engine Purpose: The Meta engine defines events that occur in a related manner within a sliding time interval. It processes events rather than packets. The Meta engine generates a signature event after all requirements for the event are met. Summarization and event action are processed after the Meta engine has processed the component events.

  37. TIME INTERVAL = 60 SECS. SIG 6768/1 80 times SIG 6768/2 once SAMBA WINS Remote Code Execution Sign 6768/0 Process forAccurateThreatMitigation Integrated Event Correlation If SIG IDs 6768/1 fires 80 times and 6768/2 fire once within a 60 sec interval, then the Meta Engine will trigger an event -> 6768/0

  38. META Engine Parameters We have recently added the NOToperation for events that we do not want to happen in a specific sequence. Setting the parameter All-components-requires to NO allow you to combine several meta simulating the operator OR TIP Objective: Trigger alert if you see E1 followed by E2 or E3 Meta1 = E2 + E3 with All-components-requires to NO Meta2= E1 + meta1

  39. Global Correlation IPS Reputation Filtersblock access to IP’s on stolen ‘zombie’ networks or networks controlled entirely by malicious organizations. • Global Correlation Inspection raises the Risk Rating of events when the attacker has a negative reputation allowing those events to be blocked more confidently and more often than an event without negative reputation.

  40. Defeating SQL Injection The Challenge of Traditional Signature-Based IPS What SIGNATURES Find Verdict:UNKNOWN SQL Command Fragmentsin Web Traffic What? This could be your billing system talking to your customer database. Or……..

  41. Defeating SQL Injection Collaborate with Confidence What GLOBAL CORRELATION Knows: Verdict:BLOCK SQL Command Fragmentsin Web Traffic from Untrusted Client Dynamic IP Address Dynamic DNS History of Web Attacks What? 4th Packet of HTTP Connection How? Within Heavily Compromised Network History of Botnet Activity Who? Where?

  42. IRC ConnectionsThe Challenge of Traditional Signature-Based IPS What SIGNATURES Find Verdict:UNKNOWN IRC Join What? This looks like a typical IRC connection request……..

  43. IRC ConnectionsCollaborate with Confidence Traditional Signature only IPS view without Reputation Global Correlation Enabled IPS allows Confident Deny Action

  44. Malware over BittorrentThe Challenge of Traditional Signature-Based IPS What SIGNATURES Find Verdict:UNKNOWN Bittorrent Connections What? This looks like standard Bittorent connections……

  45. Reconnaissance ActivitiesThe Challenge of Traditional Signature-Based IPS What SIGNATURES See Verdict:NO CONFIDENCE ICMP Timestamp Request packets What? The packets, being non-connection oriented, are spoof-able. Do you have the confidence to implement a Deny Attacker to prevent future recon activities?

  46. False Positive Examples Signature 5477 - Possible Heap Payload Construction Originally High severity Triggered heavily by the Ad-Revolver web application Considered for retired ? - What is the potential impact on victim? Low - Is it part of a Meta signature ? Yes => Decrease the severity to informational

  47. False Positive Examples Signature 4507 - SNMP Protocol Violation. Originally High severity Fires when any error in decoding SNMPis detected Considered for retired ? - What is the potential impact on victim? High - Are the management station known ? YES • Decrease the severity to informational so you have traces for forensic analysis • Filter out trusted sources • Check the application SNMP implementation

  48. Questions ?

  49. Agenda Reduce False Positive Reduce Noise Introduction Reduce False Negative 13:00 15:00

  50. Reduction of False Negative

More Related