1 / 36

Deploying Secure Enterprise Networks

Deploying Secure Enterprise Networks. Disclaimer. “ This presentation provides a tit for tat description of a fictional electronic war between an irritable yet determined cracker and an overworked, but well funded, IT staff. Any similarities to your current environment is purely coincidental.

temig
Télécharger la présentation

Deploying Secure Enterprise Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deploying Secure Enterprise Networks

  2. Disclaimer “This presentation provides a tit for tat description of a fictional electronic war between an irritable yet determined cracker and an overworked, but well funded, IT staff. Any similarities to your current environment is purely coincidental. Cisco does not recommend such reactionary security design. Rather we suggest engage in a systematic approach to the network security problem.” The Authors at Cisco Systems

  3. The Aggressor • Scott Daniels (aka n3T51ay3r) • College age, too much free time • Two notches above “script kiddie” • Recently banned from netgamesrus.com for cheating on their latest game “Xtreme Secret Agent” • Wants revenge

  4. The Defenders • Netgamesrus.com • Web-based gaming company • Experienced explosive growth and hasn’t had much time to think about security • IT staff is minimal, and most have occupied their time play testing their newest creation • Just went through a second round of funding that hasn’t been spent yet

  5. Initial Solution Netgamesrus.com Public Hosts (WWW, DNS, SMTP, FTP) Internet Internal Net • Router only provides WAN connectivity • FW is concerned with internal net

  6. In My Sleep n3T51ay3r Internet Internal Net • Scan ports and vulnerabilities to find target • Outdated bind discovered on web server • Root privilege obtained, logs cleaned, and root kit installed • “You are so owned”

  7. Scanning Tools

  8. SANS #1: BIND

  9. Root Kits

  10. Quick Fix Netgamesrus.com Internet Internal Net • A player with scanning software happens to find your host is compromised and tattles • Rebuild (due to rootkit) and patch hosts • Turn off unwanted services • Rinse and repeat (for all the hosts) • Move public services off third leg of firewall for service isolation

  11. Hey, What Happened? n3T51ay3r Internet Internal Net • What happened to “my” system? • Rescan • There are less services available • Services are patched • Wait for “new” vulnerability posting on net (no hurry…)

  12. It’s Only a Matter of Time

  13. Open & Closed Source Concerns ! ?

  14. Odds in My Favor n3T51ay3r Internet Internal Net • Exploit latest vulnerability (a race) • Reinstall rootkit, clean logs • Download add’l attack tools (getting angry) • Scan isolated service network and internal net • Own more public hosts

  15. Raise the Bar Netgamesrus.com Internet Internal Net • Internal scan finds compromised hosts • Fix and rebuild hosts • Install network IDS • Turn on liberal shunning and TCP resets • Most signatures • Reconfigure ACLs on the router

  16. NIDS Response 7100he#show access-list Extended IP access list 197 permit ip host 10.1.1.20 any deny ip host 112.70.126.43 any deny ip host 96.193.155.79 any

  17. Lost Tone Again? n3T51ay3r Internet Internal Net • Services found, though patched again • Run vulnerability scans but inconsistent response • Pings also blocked • A “friend” observes the same result • Rats…what’s going on?

  18. IT Success! Netgamesrus.com Internet Internal Net • Scan and exploit attempts captured • Shunning worked

  19. Stick IDS n3T51ay3r Internal Net Internet • Researched behavior, NIDS and shunning assumed • Find method to defeat NIDS — Stick is latest utility • http://www.eurocompton.net/stick/ • Overwhelms shunning capability • Launch stick, re-exploit hosts, install toys

  20. Stick Tool

  21. New Management Netgamesrus.com Internet Internal Net • Two observations • NIDS shunning pre-FW may be overflowed so turn off shunning • Firewall logs show download of tools on hosts • Install NIDS in public segment and liberally shun on FW • FW ACLs to prevent public services segment outbound sessions • Rebuild hosts using Ghost  and patch

  22. This Is Getting Tough n3T51ay3r ? Internet Internal Net • Lost tone again, must still be shunning • Use stick again • Still no tone???

  23. Success Again Netgamesrus.com Internet Internal Net • NIDS alarming tracks cracker activities • Shunning on FW working • FW mitigates stick effects on NIDS in public services segment

  24. The Empire Strikes Back n3T51ay3r Internal Net Internet Proxy Svr 50.50.50.50 • What is being shunned? • Looks like composite and atomic attacks are shunned • Exploit poorly deployed shunning: • Launch spoofed atomic attacks from proxy servers of large ISPs • Now Legitimate Customers can’t get in!

  25. To Shun or Not to Shun Netgamesrus.com Internet Internal Net • Public exposure (due to shun problem) creates job uncertainties among the IT staff • Perhaps shunning everything is a bad idea? • Set shun posture to only critical multi-packet TCP attacks • Tune IDS (shun length, false positives, alarm levels, hire staff to monitor IDS 24x7) • Optional: Tier IDS log analysis for better attack visibility

  26. Try, Try Again n3T51ay3r Hmm… Internal Net Internet • Looks like they’ve got their act together • Trying the ISP DoS again doesn’t work • Shunning must have been tuned • Shift gears, what CGI scripts are running on the box?

  27. Application Layer Attacks

  28. godzilla.d n3T51ay3r godzilla!! Internet Internal Net • Found a public domain CGI in use (SANS #2) • Examine source code and run tools to find an unpublished vulnerability • After substantial research, success • Compromise web server with new toy (godzilla.d)

  29. SANS #2: CGI

  30. Why Me? Netgamesrus.com Internet Internal Net • Find, Ghost, and patch hosts • Fix CGI script (with outside help) • Post to Bugtraq (or not) • Do we really want more visibility? • Install host IDS on appropriate hosts

  31. Host Intrusion Detection • Host IDS is best installed on key servers • Features vary per product, including watching for: • File system • Process table • I/O • System resource usage • Memory allocation • Actions include alarm and sometimes prevent • Financially and operationally impractical to install on all hosts

  32. Alternate Route Needed n3T51ay3r Easier Way? Internet Internal Net • Their Internet access seems pretty locked-down • I need another way in • Shift gears to war dialing (Tone-Loc)

  33. Is There a Better Way? • Comprehensive security architecture • Have a security policy • Technologies work as a system • No single point of failure • Overwhelming defense (barriers, • trip-wires, reactions) • Skilled staff • Prudent deployment and tuning of products • Limit how much is learned the hard way • Know the threat and your weaknesses • Track threat tools and security technologies • Proactive approach to mitigation • Audit posture regularly • Cheaper to pay upfront than after the fact • Stay employed and in business!

  34. SAFE Security Blueprints Medium Business/Branch Campus SP Edge Medium Business/Branch Edge Corporate Internet Module Campus Module PSTN Module ISP Edge Frame/ATM WAN Module

More Related