Common IS Threat Mitigation Strategies An overview of common detection and protection technologies

1. Common IS Threat Mitigation StrategiesAn overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com

2. Common IS Threat Mitigation Strategies: An overview of common detection and protection technologies AGENDA • Intro • Securing the Perimeter • Intrusion Detection • Intrusion Prevention • The New Perimeter • Q & A

3. A risk management approach to security WHY MITIGATE? • Modern networks are complex systems • Each node has specific security characteristics • Nodes interact with each other • Subject to constant change (business driven) • Security as an emergent characteristic • Focus on risk • 100% bulletproof is an utopian dream • As countermeasures and protection mechanisms evolve, attacks evolve too

4. Friends in, Foes out. Defining and securing the network perimeter SECURING THE PERIMETER

5. SYN | port 80 SYN | ACK | ISN# 2222 ACK #2222 | port 80 | data ACK#bbbb| data Packet filters can control which packets are allowed to get through the firewall and which are not PACKET FILTERS • Packet filter • Rules based on individual packets • Real fast • Most popular routers incorporate this functionality • Stateful packet filter • Rules can refer to established sessions or flows • Very fast • Most modern firewalls are stateful

6. HTTP Response BLOCKED! HTTP GET /index.html HTTP GET /index.html HTTP Response HTTP GET /null.printer Application layer firewalls provide a more granular control of networked applications and services APPLICATION LAYER FIREWALLS • Police traffic at the application layer • Pros • Rules refer to specific services • Can spot protocol deviations and abuses • Very granular control on protocol specifics (deny FTP anonymous login, disable unused SMTP commands, block “ ‘ “ in HTTP form fields) • Cons • Resource intensive • Tough to keep up with app-layer protocols

7. Dividing the network in different physical segments has many advantages NETWORK SEGMENTATION • Assigning trust to network segments • Pros • Reduces “attack surface” at many levels • Contains or limits successful intrusions • Provides control and audit capabilities for internal traffic • Cons • Tough to configure and manage if the network is very dynamic • Strict performance requirements

8. A classic segmentation example: the DMZ NETWORK SEGMENTATION (2)

9. Intrusion Detection Systems passively monitor the network’s operation for attacks and anomalies INTRUSION DETECTION • Monitor the network for security events • Intrusion attempts • Successful attacks • Anomalies • Forensics • Network audit trail • Internally deployed • Detect anomalies within the perimeter • Externally deployed • Measure threat (?)

10. There are many different IDS technologies being developed today INTRUSION DETECTION STRATEGIES • Signature based • Watches for known attacks (signatures) • Can detect some well defined anomalies • Anomaly • Watches for anomalies (not known attacks) • Self learned (adapts to the network) / Programmed (follows defined rules) • Host based • Sensor sits in monitored host • Network based • Sensor sits on network • Hybrids

11. Each one of these technologies has limitations INTRUSION DETECTION LIMITATIONS • Signature based • Can only detect known attacks (sometimes only specific attack incarnations) • Must be constantly updated • Anomaly • Cannot easily absorb change • Some attacks are hard to separate from legitimate traffic • Host based • Requires widespread deployment of sensor/agent (hard to manage / expensive) • Introduces complexity into end-systems • Network based • Vulnerable to differences in TCP/IP implementations

12. Intrusion Prevention generates and active response to intrusion events INTRUSION PREVENTION • Responds actively to security events • Terminates network connections • Communicates with the firewall / switch to disconnect / block attacker • Terminates compromised process • Pros • Doesn’t require human attention (?) • Can preemptively block known intrusion attempts • Cons • Doesn’t require human attention (!) • Can block legitimate use • Can be turned into a DoS (remember spoofing)

13. Several different intrusion prevention strategies at the host level are being developed HOST IPS • Code injection protection / mitigation • Non executable stack (Sun Solaris) • Non writeable code segment, non executable everything else (OpenBSD, Linux w/GR Security, Windows XP sp2 w/AMD64) • Address randomization (OpenBSD, GR Security) • Containment • Chroot jails (POSIX) • System call policing, systrace (OpenBSD, NetBSD) • Privilege separation (OpenBSD)

14. The concept of a network perimeter is coming to an end THE NEW PERIMETER • Peer 2 Peer • HTTP tunneling • SSL • Instant messaging • Rich e-mail clients

15. Personal firewalls bring packet filtering to the workstation PERSONAL FIREWALLS • Polices traffic coming in and going out the workstations • Adds the application dimension to the rules • Dynamically configurable • Starts to borrow capabilities from IPS

16. Q & A

17. Thank You! Maximiliano Caceres | max@coresecurity.com http://www.coresecurity.com